Since I was bored I decided to test the Google Reader security (I like to make sure that the websites I use are at least moderately secure). Also, since this is a community application (via the shared feeds) a XSS exploit could spread quite easily (like the MySpace worm).
But Google has actually implemented a decent security scheme. As far as i can see they actually parse the html (and xhtml) generate new html from the parse tree. They also prevent the hack which i thought of recently by stripping CDATA sections and replacing them by their html-encoded content.