[lazyjones]

Nice one; I gave up trying to solve the last with the http-only google.com/jsapi and hosted my own with https, but then it occurred to me that it's even more trivial than I thought!

Checking our stuff for this mistake now ...

[gibybo]

I used "//" to get around the http regex (but this requires using an https host as you mentioned), is there another way to get around the regex?

[tautvidas]

Adding a space just before the URL works just as well.

[yen223]

Spoiler: RaNDoM cApS

[_august]

//www.google.com/jsapi?callback=alert

[gpvos]

data:,alert('hi')

[jonaspf]

Use upper-case characters

[vsakos]

i think ftp:// works too

EDIT: no, it doesn't :D

[barrydahlberg]

SPOILER: You need a way to defeat the regex (see other comments here). Then think about what the "foo" actually does (and read the error console).

[yen223]

What's the trivial solution to this? I also wound up hosting the malicious file on my personal server...

[trias]

data-uris also work: #data:text/javascript,alert('pwn')

[aidos]

That's what I used too. Hosting scripts is far too much like hard work...

[hrrsn]

There are apparently easier ways, but I just chucked an alert(); in my Dropbox public folder, did an //dl.dropboxusercontent.com/u/14XXX/xss.js as they serve both http and https.

[joshschreuder]

I put a small gist up and hotlinked through githack.com

[smsm42]

gist.github.com serves https, so you can use it whenever you need something sent over https.