Clickjack Test – This checks a URL for the click-jacking vulnerability.
RSnake’s XSS Cheat Sheet – Useful page for coding and decoding XSS payloads and other things.
URL Encoding Reference – US ASCII Character Set.

Other Tools

webGun@Brutelogic’s XSS payload build tool.

Security and Fuzzing Lists

xss-script-variants.txt – This is a list of all variants for the <script> tag for XSS testing and Web Application Firewall bypass testing.  It has all permutations of the <script> tag by ASCII text upper and lower case, Hex/URL, and some decimal for the <> tags.