i8jesus has posted an entry on smuggling other protocol commands (such as ftp) in HTML forms, as well as edge case situations where running a tcp service (in this case ftp on a non standard port) can result in more XSS abuse cases. While not likely still worth a read.

"Most people have thought about how you can use a browser to issue inter-protocol requests. See Samy’s version of SMTP-through-JavaScript, “cross-site” printing (cool, but what’s so cross-site about it again?), and this paper by NGS. However, the reverse attack is much more useful; how causing a browser to interact with another protocol can cause arbitrary JavaScript to run in the origin of a target domain. This is natural extension to that previous work, starting with the seminal “form protocol attack” paper. After doing a bunch of research I found out that this basic idea was already lightly covered in eyeonsecurity’s “extended HTML form attack” paper, but misses out many key details, mostly resulting from the fact that the browser security landscape has shifted significantly since it was written in 2002." - i8jesus

Read more: http://i8jesus.com/?p=75