I inspected an object literal and found "__defineSetter__". This would work on window since every object has the method. Define setter allows you to set a property with the first argument and the function you want to call in the second argument.
Because __defineSetter__ is a method of the window object you do not need to specify window when calling it. I tried an injection of ',__defineSetter__('x',alert),x=1,' and it worked perfectly bypassing Noscript's XSS filter check in script context. The output of the page would look like this:
<script>x = '',__defineSetter__('x',alert),x=1,'';</script>
Define setter is called on window with a property of "x", alert is then called when an assignment of "x" occurs with an argument of "1".
You can also call arbitrary code by changing the alert to eval and the assignment to "name". Using name as the assignment allows you to send a payload across domains using the window.name property. Usually you use an iframe with a name attribute of the payload you wish to execute then reuse that payload using the "name" property in the injected site. An example of that is below:
<iframe name=alert(1) src="//somedomain?x=',__defineSetter__('x',eval),x=name,'"></iframe>
The filter has now been patched and the vector no longer works.