<script> alert("XSS"); </script>
and you can get alerts.
The reason for most XSS holes is due to the use of Microsoft's Active Server Pages (ASP). ASP does not have much default functions or modules to combat XSS. Whereas PHP has a number of functions to do the same.
Happy Hacking ...