It seems the bug I referred to in my last post is only partially fixed -- but I am confident it will be closed up soon. In the mean time, I recommend you log out of Gmail when you are not using it until the problems are solved.
Even though this XSS vulnerability takes the cake for Google's worst new years "oops", something else on Gmail deserves a little attention too. Do you remember how your quota in Gmail was always increasing? Well, it now appears to be capped at 2800MB -- though it's pretty tough to complain about that number.
Happy new years everyone!