Right, given the script I provided, it's trivial to cause a XSS attack against myself by spoofing the UA at the browser or w/ a proxy. However, it can't be exploited unless other clients see that javascript as well.

The missing link here is some javascript that I place in a webpage that I own that forces anyone that views it to spoof their user agent and view the previous script, or sending a link under the vulnerablesite.foo domain that will contain the JS in it.

So far I haven't been able to find that Javascript... which is what I'm asking for help with to prove that it's possible to successfully attack that code when no database is involved.