Here's a forum of sites with XSS flaws. Verify for yourself. If you can stand the terrible language and tangents.
Sites with XSS Flaws
I accidentally found an XSS flaw on my bank's web site recently. They were trying to prevent it by using a JavaScript pop up box. Helllloooo. Who doesn't know you can turn off JavaScript these days? A bank for goodness sakes...my money at stake.
It is a small credit union. Needless to say I am in the process of changing banks.