One is the exploit I describe above: data taken from the block chain was not escaped properly.

Another is a more "traditional" XSS. It was possible to format a URL such that it contained script tags that were injected into the page.

https://github.com/etherdelta/etherdelta.github.io/issues/14...

The reason is, the data after the hash was not escaped.

Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool.