Googleのoeパラメータに任意のコードを指定できるのでXSSしちゃうという脆弱性があったそうですが、既に直っているそうです。

XSS with UTF-7 was found in www.google.com (already fixed).
Although charset was specified in HTTP response header, but
charset-name was incorrect so XSS occurred.

PoC:
http://www.google.com/search?hl=en&oe=cp932&q=%2BADw-script%2BAD4-alert(
document.cookie)%2BADsAPA-/script%2BAD4-%2BACI-

The "cp932" is specified for output charset with "oe" parameter,