XSS techniques: defeat a target that only escapes single and double quotes

I assume that you found an entry point either, from

1. the url
2. an injectable

   <input .../>

3. or a form input, find functions on certain websites are very exploitable

Assume that the target accepts injections with slashes and escapes only single and double-quotes as a security measure:

Try to break the webpage with '-->', e.g. html comment termination,
inject your payload, e.g. <script>...</script>

Escaping double and single quotes:

a.

(new String(1)).replace((new Number(1)).toString(10), /look no single or double quotes/);

b.

String.fromCharCode(n1, n2, ..., nX)

c. replace (for compression)

Use this python snippet to prepare the payload:

[ ord(c) for c in "http://payload_in_decimal" ]

The drawback of this technique is that the decimal payload will be huge and it might overflow the input, i.e. url input on the browser, input-tag, form etc.