Google must be pretty confident that they've not got any more XSS vulnerabilities in their code as this post on their security blog tells everyone how they could exploit one when found:

http://googleonlinesecurity.blogspot.com/2007/07/automating-web-application-security.html