If anyone is curious, these security holes were found in dynamically generated javascript that included a GET parameter that was neither encoded nor run through magic_quotes. They were easy to find to the point where an automated scanning tool could almost certainly identify them.
Well, at least they had to <i>try</i> to find a hole. I've had the pleasure of maintaining a "typical PHP project" - written by someone with no clue about xss, csrf or anything else. It had an admin interface that simply returned the Location: / header to an unauthorized user without exiting. In a publicly accessible /admin folder no less. The owner only wisened up when Yahoo's spider crawled in and followed all the "delete news item" links. Yes, GET links for delete, and DB storing passwords in plain text, isn't that nice.