Due to their orthogonality to "traditional" XSS, these sorts of attacks still affect sites that are otherwise pretty good in terms of input handling. I recall, when I first read about these attacks, I was able to make a proof of concept XSS against LiveJournal. When I showed the attack to brad, it amusingly turned out that had already written code to defend against the problem but hadn't yet flipped the switch, so he fixed it within a few minutes. But as the paper illustrates, many other sites (like Wikipedia*) are vulnerable.
* Update: having read more now, I see Wikipedia uses the same defense LJ does; it's just the default configuration of Mediawiki that is vulnerable.