 3  3 | masato - braves parsing finding entity test | InsertScript | 8/3/2025 | XSS | 1 |
70 70 | masato - braves parsing finding valid characters | InsertScript | 8/3/2025 | XSS | 1 |
195 195 | masato - braves parsing finding valid attributes | InsertScript | 8/3/2025 | XSS | 1 |
16 16 | masato - braves parsing finding | InsertScript | 8/3/2025 | XSS | 1 |
| Named HTML entities that can be closed with ! | avlidienbrunn | 7/29/2025 | XSS | 1 |
| Characters cause self closing tag | hackvertor | 7/23/2025 | XSS | 0 |
| Characters ignored following slash in self closing tag | hackvertor | 7/23/2025 | XSS | 0 |
| Characters allowed inside javascript protocol and still returns the hostname | RenwaX23 | 7/21/2025 | JS | 1 |
| Characters allowed after a bigint | hackvertor | 7/18/2025 | JS | 0 |
| Characters allowed either side of a variable assignment | hackvertor | 7/18/2025 | JS | 0 |
| Characters allowed after throw statement | hackvertor | 7/14/2025 | JS | 0 |
82 | encodeURI() not encoded with % | forglockenspielexact | 7/11/2025 | JS | 1 |
| Characters encoded by escape() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURI() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURIComponent() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters before custom tag | s3np41k1r1t0 | 6/23/2025 | XSS | 0 |
| Injection in src attribute PORT, characters that change hostname | reindaelman | 6/15/2025 | JS | 1 |
15 | Characters appended at the end of PORT within URL, which yield a different HOST | reindaelman | 6/15/2025 | JS | 0 |
| Characters allowed as a tag name using DOM APIs | hackvertor | 6/13/2025 | JS | 0 |
| Characters allowed before host name that are ignored | hackvertor | 6/11/2025 | XSS | 0 |
