First of all, cross-site scripting (XSS) or Code Injection is a client side vulnerability and not a server side vulnerability. that is to say that XSS does not affect web applications servers directly. Rather, XSS attacks attempt so steal logged users credentials (session id...usually stored in cookies) and store this information on a remote server (sometimes referred to as black hat server)...where an attacker or malice user, would use this information to fool the web server (be it Apache, IIS, Tomcat...etc) that they are a subscribed user or the user who's login credentials were stolen.
Therefore, the damages that can be caused to the web application very much depend on the role(s) that user have...and does not affect web server directly.
For more information on XSS attacks, please see the following URLs
http://www.owasp.org/index.php/Cross_Site_Scripting
http://ha.ckers.org/cross-site-scripting.html
So, does this type of attack only affect Linux machines? the answer is no. It affects windows, Mac OS, and Unix users, and just about any web server such as IIS, Tomcat, Apache...etc.
How can you prevent this type of attack?
There are many ways to prevent this type of attack, one of them is not to allow users to submit data in the first place. another is to prevent users from entering any none-English characters in forms etc. another is to encode output...etc.
cheers,
Ess