Characters unencoded characters supported in the hash

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(33);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(33)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(36);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(36)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(37);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(37)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(38);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(38)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(39);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(39)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(40);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(40)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(41);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(41)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(42);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(42)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(43);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(43)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(44);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(44)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(45);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(45)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(46);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(46)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(47);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(47)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(48);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(48)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(49);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(49)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(50);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(50)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(51);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(51)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(52);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(52)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(53);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(53)

anchor.href='//example.com';0x0D
let chr = String.fromCodePoint(54);0x0D
anchor.hash = chr;0x0D
if(anchor.hash.slice(1).includes(chr))alert(54)

Sample payloads