XSS - Double Quote break out and White Space filtered

[arvind doraiswamy <arvind.doraiswamy () gmail com>]

Hey Guys,
We're trying to understand XSS Regex and evasion techniques better.
We're stuck at 2 variations though.

Problem 1:
Here's what is allowed:

( ) : ; &

Everything else is filtered or replaced. The HTML looks like this:
<input type=text name=p1 size=50 value=>

Note that the value isn't enclosed by quotes which means I can break
out of it with a space with the event handling technique. However the
problem again is that spaces are also caught and replaced with a
blank. The same is true of " as well. The < and > are filtered as well
which means we cant start a new tag either. So we're stuck. Now AFAIK
these are the only ways to bypass a filter:

a) Add another attribute to the Input tag
b) Break out of the Input tag and add your own scripts
c) Put in something in the value= which natively acts as a script (I'm
not sure what)

Is there anything else? How all can you perform XSS with < > " '
(whitespace with all variants) all blocked off using any of the 3
above methods?

Problem 2:
Everything in Problem 1 is blocked off including & as well. The input
into a text box goes between " " this time though. So if I type "abc"
it goes between the double quotes. This input is again used by a
document.write(" ") between <script> </script> tags later in the page.
So if I write abc in an input box , its echoed in 2 places - a) In the
text box itself   b) In the document.write(" ") call later on the
page. Effectively this means everything is treated as text in both
places - this includes scripts, javascript: function pointer tricks
everything. Remember I can't break out again due to the " becoming
&quot and < > becoming &lt &gt. So how do you do this?

All inputs/feedback are welcome. Please let me know if further inputs
are needed.

Thanks
Arvind