I also really liked the XSS levels. I thought it was clever how they used PhantomJS to simulate a victim. It kind of makes it more fun than just a regular exploit.

On level 6 I got around the quotes limitation by using eval(String.fromCharCode(11, 22, 33, 44, etc));

For fun I tried using http://news.ycombinator.com/item?id=4365868, which worked, though if the script was long it would end up being truncated.