jQuery has this quirk, where you can't pass user data to the $() function:

$('<img src=1 onerror=alert(document.domain)>')

The $() code ends up creating an HTML node, which can lead to a XSS hole.

This vector for bugs has been known for a while (bug 9521, bug 11617), but can unfortunately still be exploited in some cases.

edit: this bug bites cryptocat, https://github.com/cryptocat/cryptocat/issues/613