jQuery has this quirk, where you can't pass user data to the $() function:
$('<img src=1 onerror=alert(document.domain)>')
The $() code ends up creating an HTML node, which can lead to a XSS hole.
This vector for bugs has been known for a while (bug 9521, bug 11617), but can unfortunately still be exploited in some cases.
edit: this bug bites cryptocat, https://github.com/cryptocat/cryptocat/issues/613