Chrome's XSS filter can still be circumvented in quite a few instances. The easiest way I've seen is when the attacker controls at least two variables and can split the XSS across them in such a way that neither half appears malicious but when loaded into the page they create a malicious script.
Example: ?a=<script>void('&b=');alert('XSS')</script>
The value of a is <script>void(' and the value of b is ');alert('XSS')</script>.