Interactive features of your site are used as unwitting carriers of client-side attacks

Anywhere you display external input:

User profile

Forums

Error pages (the URL is external input)