The worst offender is CNET. Inevitably leaving the main page causes Noscript to notify me that my request was blocked by XSS. Also CNET runs more javascripts that almost any site I visit. Is it really that vulnerable?