XSS question.

["VAM" <thebigbadwolf () fastmail fm>]

Hey I am trying to figure out a way to exploit a webserver that is
supposedly vulnerable to XSS. The issues are:
1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for
ScrIPT, etc too..
2. img%20src remains img%20src in the response.. (the server does no
decoding)

so, I am not able to make IE/others execute the javascript embedded in
there. Is there any other way/ways of invoking javascript in the HTML
response from the server.. e.g. any other single-worded HTML tag etc that
can do something like what <img src=javascript:alert("hello")> does.. ?

Thanks!