What damage can you do with javascript if your script is not allowed to contain alphanumeric characters? "Not much" is what Ebay must have thought when they decided that scrubbing alphanumeric characters between script tags was good enough to prevent exploits.
As it turns out the weak typing in javascript combined with creative abuse of the textual representation of certain values allows you to do quite a lot [checkpoint.com]. Welcome to JsF*ck.