| Characters allowed to end a JS string | sqjor | 7/17/2024 | JS | 0 |
| Characters allowed within a hostname but don't change the hostname | ThomasOrlita | 4/30/2024 | JS | 1 |
 15 | Characters appended at the end of PORT within URL, which yield a different HOST | reindaelman | 6/15/2025 | JS | 0 |
275 | Characters appended at the end of TLD within URL, which yield in the same Origin | hansmach1ne | 1/5/2025 | JS | 2 |
31 | Characters appended at the end of TLD within URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
| Characters before custom tag | s3np41k1r1t0 | 6/23/2025 | XSS | 0 |
1  1 | Characters between < and element name | ThomasOrlita | 4/15/2024 | HTML | 1 |
7 7 | Characters between element name and > | ThomasOrlita | 4/15/2024 | HTML | 0 |
| Characters encoded by encodeURI() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURIComponent() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by escape() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters ending XML Processing Instructions (WIP) | ola456 | 2/4/2025 | XSS | 0 |
| Characters ignored after backslash with multiline string | hackvertor | 6/18/2024 | JS | 0 |
| Characters ignored in an attribute name | hackvertor | 5/28/2024 | XSS | 0 |
| Characters ignored in strings when doing a non strict comparison | hackvertor | 6/18/2024 | JS | 0 |
| Characters in-between square brackets that close cdata | hackvertor | 10/8/2024 | XSS | 0 |
| Characters not urlencoded when using the credentials part of the URL | hackvertor | 5/28/2024 | JS | 1 |
| Characters not urlencoded when using the shema part of the URL | d0ge | 9/24/2024 | JS | 0 |
| Characters prepended to URL host. check if difference between URL and a tag | InsertScript | 1/10/2025 | JS | 0 |
30  30 | Characters prepended to URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
