Microsoft ASP.NET version 2 also fights cross-site request forgeries with a MAC'ed token:
Browser based tool for website XSS testing
Anleitung, wie man in php utf7-strings zur filter evasion erzeugt
Explanation, why Google was vulnerable against UTF-7 encoding
An open webservice, that let cute little XSSler store their stolen session credentials
Proposal for an extension of http/HTML to migiate XSS threats