As tech savy (security focussed) Internet citizen i'm often tinkering with sites using manual or automated techniques. Often there are issues, mostly regarding XSS. Discovering of websites prone to XSS attacks is no supreme discipline (especially if your Name is eg Gareth Heyes), but the tedious task of reporting them is.

Enough written, following is a short XSS Report Template to report such issues directly to  the website owners:

<TEMPLATE>To whom it may concern,

your website <INSERT_WEBSITE_HERE>, is vulnerable to Cross-Site Scripting (XSS) attacks. XSS allows an attacker to embed malicious scripting code (JavaScript, VBScript, ActiveX, HTML, or Flash) into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for
those of a valid user, or execute malicious code on the end-user systems.

The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on.

The above mentioned XSS on your website is here:
<INSERT_XSS_LIVE_LINK_HERE>

"A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic
page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center).

What can you do about it?

Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and >  to &lt; and &gt; is also suggested when it comes to script output.

XSS holes can be damaging and costly to your business if abused. Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out ( and ) by translating them to &#40; and &#41;, " to &#34;, ' to &#39, and also # and & by translating them to &#35 (#) and &#38 (&).

If you have any questions, do not hesitate to contact me.

Sincerely

<YOUR_NAME></TEMPLATE>

PS.: Alternatively you can submit your newly discovered XSS to public archives like http://www.xssed.com/, or tweet to http://twitter.com/XSSExploits but i prefer a personal notification.

Please see http://www.cgisecurity.com/xss-faq.html for more informations and examples.