S02 XSS Puzzle

I have flag in localStorage in xss-shafigullin-pro.appspot.com your goal is send me link to page on your domain with any boobs picture,
at the time I'm looking to picture you should steal flag from localStorage (name of my dog) and send it to me.
It would be great, if your exploit will work in all browsers, for each browser additional points.
Did it? Send me link to your page and UA where it works.
Don't send me vectors with alerts and messages, I'm victim, not security expert, you should steal sensitive information, like name of my dog.
Don't send me results of your favorite vuln scanner, this puzzle not for noobs.
It can take some time =) but all tasks from real applications and real bugs, I can't disclose them, but I can simulate in puzzle.
Don't worry if you can't solve it, you still can get money form Bug Bounty programs, you don't need any skill for it.
You can solve it without 0days.
Don't share your solution, don't discuss about solving, you can ask only me: DM @shafigullin or use email.
If you find bug (easy bypass), I count it like my mistake, because have no time to test implementation, I'll add thanks on this page with some points.

Go! Go! Go!

Hall of Fame

Name	Bug	Firefox	Chrome	IE 9	IE 10
@cgvwzq	5 (27.12.2012)	5+2 (27.12.2012)
@Paul_Axe	5 (01.02.2012)

Challenge start date: 02.12.2012

S01 XSS Puzzle still working.
I promised to give answer, but then S01 dead, so I'll just give you one of ways to solve it,
this is XSS Auditor for Chrome and IE's XSS filter bypass for App Engine platform.
It was possible to use it for solving puzzle in one of those browsers.
http://xss-shafigullin-pro.appspot.com/reflector?protection=1&content= - this is Google App Engine app for testing reflected XSS,
protection=1 - is set X-XSS-Protection:1
So you can find interesting for us feature in Java with handling of broken URI encoded chars like %*0, %E0*, %FF, I will not describe other features ;)
Now you can easily bypass any filter =)
Chrome
IE
IE
I will not show here, how possible to make it without user interaction, for PoC links enough.
I will not count if you bypassed S01 with those tricks, so you still can send me other solutions.

Also you can try to break my client side XSS protection library, it will be opensourced soon.