XSS is preventable by the careful handling of external data. For instance if you have a website that accepts stuff input by a user, design your system to make sure that the user-generated data does not contain HTML, scripts, or that any such scripts are not being injected into the DOM without first being HTML encoded.

Want an example?
<script>
alert("this code will not execute");
</script>

If WebmasterWorld had not HTML encoded my post, the characters above would have executed and you'd see an alert pop up. But you didn't. WebmasterWorld is not vulnerable to XSS.

XSS is in the family of vulnerabilities that includes SQL injection: that's where someone types some SQL code into a form that retrieves data from a SQL database based on their query. If your application is not careful, I can manipulate a careless SELECT statement to show me way more than you ever intended. An example: I might fill out a form saying that my name is "'; DELETE * FROM ThisTable"

Another way XSS can compromise your site is if your site does any data retrieval from another server - for instance, loading the contents of another URL to regurgitate it on yours. Let's just say... If you're going to do that, you need to wear protection. If that other page has hidden <script> things or embedded plugins... it's open season. HTMLencoding is your XSS prophelactic.

MySpace had a famous hack last year because of this kind of carelessness.

Most vulnerabilities can be prevented by HTMLencoding stuf that people type into your website