A spot of reading around has suggested that:

a)  I really don't understand this;  

b)  it's surprisingly difficult for websites to totally prevent XSS attacks;

c)  most attacks involve a degree of social engineering - luring users into taking dangerous action, such as signing in to a fake

     welcome page, thus surrendering their details to the attacker;

d) some attacks can harvest data stored on the user's own computer eg session/login cookies, which would make it easy for the

     attacker to impersonate the victim and take over the account concerned. Fortunately, these are fairly easy for sites to mitigate eg

     by not  allowing cookies to be retrieved if the attempt to retrieve them seems to originate from a different IP address to that in use

      when they were set;

e) as ever, we can reduce our vulnerability by using fully patched software, being ultra-vigilant (not always easy) and taking    

     advantage of such security features as may be available eg the NoScript add-on, certain browser settings.

It might be unfair to blame eBay for cross site scripting attacks occurring from time to time, although I believe that given eBay's resources, such attacks should remain very rare.

What is more worrying is their slowness in responding to these problems - I noticed the comments on Seller Central earlier, and the thread which was shifted here from SC a day or two ago. And yes, I think shifting that thread to the relatively lightly-read tech board was a little naughty - it might have been well-intentioned moderation, of course, shifting a technical sort-of matter to the tech board - sadly, there is just the tiniest whiff of "cover up" to it.

If anyone can come up with simple anti-XSS measures for us ordinary computer users, as opposed to site designers and maintainers, then that information would be greatly appreciated.