#1 rule of web app development (as far as i'm concerned): sanitize inputs. if you don't know if inputs are already/automatically sanitized, sanitize them again anyway.

It's easy to kill if you only employ competent developers who don't trust any user input :/

The article explains the issue very poorly (seriously, I'm disappointed how badly this was written, considering it's ARS and all). If you read the user comments, they manage to explain it much more clearly, except for one issue... the article mentions how these cached search results are "forwarded" to Google/Yahoo etc. I don't know what the hell they're talking about, I know of no way to forward local site search results to search engines.

I think that what really happens is the people who create these "attacks" just post the links on some page that spiders will find and then the links will show up in Google/Yahoo results, and probably quite high since they're from domains with high page rank.