Well, this has been covered widely but can’t stop from writing about it in my blog, as I just had some time to play with it:
Google XSS game
It actually brought me back to the time when I had fun with text only games (good old MUDs!)
Now, if you haven’t tried it, I strongly suggest to give it a go – the aim is to make an alert() pop up in different scenarios.
I have to admit, I seriously struggled with #4 (like, hours), but it was well worth it. And reading the tips on the site is not cheating, they are just useful enough.
For #6, feel free to use mine (fabytes.com/ggxss.js – won’t spoil with details, just make sure certificate is ok on your machine before you use it)
And yes, it is safe I just put alert() in it!