GNUCitizen points out some potential XSS vulnerabilities in Google Gears. My only take away is that developers have to be more careful and scrub everywhere, not just at the server-side. More work is good, me think. ;-p