XSS (Cross Site Scripting) Cheat sheet: Here’s a fantastic list of hundreds of different ways people will try to obfuscate cross-site scripting attacks. Some of these are just devious.
This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest.
A great resource. Via MetaFilter.