i8jesus has posted an entry on smuggling other protocol commands (such as ftp) in HTML forms, as well as edge case situations where running a tcp service (in this case ftp on a non standard port) can result in more XSS abuse cases. While not likely still worth a read.
"Most people have thought about how you can use a browser to issue inter-protocol requests. See Samy’s version of SMTP-through-JavaScript, “cross-site” printing (cool, but what’s so cross-site about it again?), and this paper
by NGS. However, the reverse attack is much more useful; how causing a
browser to interact with another protocol can cause arbitrary
JavaScript to run in the origin of a target domain. This is natural
extension to that previous work, starting with the seminal “form protocol attack” paper. After doing a bunch of research I found out that this basic idea was already lightly covered in eyeonsecurity’s “extended HTML form attack”
paper, but misses out many key details, mostly resulting from the fact
that the browser security landscape has shifted significantly since it
was written in 2002." – i8jesus
Read more: http://i8jesus.com/?p=75
