From the Google Gruyere XSS lesson: If you can inject alert(1) then you can inject arbitrary script using eval(String.fromCharCode(...)).