Another way is to use the technique described at http://patriciopalladino.com/blog/2012/08/09/non-alphanumeri...

It transforms javascript into a sequence of ()[]{}!+

Wow, it seems like there is no limit to what you can accomplish by abusing type coercion.

unfortunately i ended up with String.fromCharCode, would of made the final code a lot more readable! https://gist.github.com/3527252

I figured out how to insert strings with quotes on level 6 - if you use a param list like username[]={string"with'quotes'"}, it bypasses the safety check but still gets coerced to a string by the ORM. Unfortunately, I wasn't clever enough to actually do anything with that...

This works well if for some reason they block fromCharCode:

    eval(unescape(/your escaped code goes here/.source))

Use Javascript's escape() to generate the code

I used DOM api to avoid quote character: document.links[0].href