Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it's getting harder to bypass. Hmmm I don't agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

Benjamin Eberlei has a suggestion for testing your application without having to mess around with creating new resources just for testing - use mocks.

Much talking is going on about Unit testing, Mocks and TDD in the PHP world. For the most this discussions surround object-oriented PHP code, frameworks and applications. Yet I would assert that the reality for PHP developers (me included) is dealing with PHP 4, PHP 5 migrated, or non-object oriented legacy applications which are near to impossible to bring under test.

He includes a "proof of concept" for a replacement mysql_query function (as created inside of Runkit) that sets up a "mocker" object that returns a "hello world" message when the mysql_query function is called.