I have a site that was reported by Google to be infected with the above code. In Webmaster Tools they gave an example of at least one page where the code was found.
So it is getting injected from some unknown file, and I still can't find it. The client, of course if apopleptic and I forsee hours of digging.
I changed the FTP password and do NOT save them to the Filezilla site manager file any longer.
The reason for my question is that this password file should be stored on your local machine - which I believe it is. If your sites have been hacked through access to this file then it sounds as if your computer has been infected with malware/virus!?
Whilst there is a potential vulnerability in Filezilla's XML files, this is only a problem if the host computer has been hacked.