I've run into several XSS vulnerabilities that were easily detected just by NoScript. The most blatant was on a banking related site where the contents of a POST requests get put directly between the <head></head> tags. I considered reporting them, but have heard too many horror stories of legal action being brought about against reporters of such vulnerabilities that even if the chance is very low, it's a hassle I just don't want to deal with now.