I'm not a security expert, but at first glance:
This method relies on the user visiting a specific URL, pointing at your site but with odd data in the query string - it wouldn't happen through normal browsing of your site. Generally they'd have to click on a link in an email or something.
It's not a direct attack on your site, it's an attack on a user of your site - any scripts which are run would be run on their machine, not yours. It could still be detrimental to your site though - the scripts could phish the user's login details, and the attacker could then damage your site in any way that the user could. Generally though the less you trust your users, the less problems you're likely to see through attacks like this.
As an attack on the user rather than the site, the scripts could install viruses, etc. You don't need to care about that though.
Running preg_replace to remove newline characters from the query string would prevent this kind of attack, at least in the form presented.
In any case, it should make you think twice (at least) about what you do with user-supplied data such as query strings.
