But of course, anyone that actually wants to protect against XSS attacks won't allow user input to be evaluated. If they did want to allow user-supplied Javascript, they wouldn't blacklist, they would whitelist (by parsing the user-supplied script and using the AST to emit only whitelisted operations).