Security "news" website thehackernews.com had an XSS vulnerability disclosed in its site by Rafay Baloch. A parameter in a redirect page was vulnerable to javascript injection.
hxxp://news.thehackernews.com/go.php?to=javascript:alert(/xssbyrafay/);
The site was claimed to be fixed, but Rafay quickly bypassed the fix with HTTP Parameter Pollution.
hxxp://news.thehackernews.com/go.php?to=javascript:alert(1)//&to=http://a
Maybe THN should think about just removing the useless redirect page.