 1 | Includes Validation Chars Allowed | Simpsonpt | 10/8/2024 | JS | 1 |
 2 | JIS X 0208 bytes that produce ASCII characters | JorianWoltjer | 9/22/2024 | JS | 1 |
| JavaScript Scheme starting with http | BinaryScary | 7/16/2024 | JS | 1 |
| JavaScript Scheme starting with https:// | BinaryScary | 6/28/2024 | JS | 4 |
| JavaScript separators between function names | InsertScript | 4/2/2024 | JS | 0 |
| List of HTML elements that convert to arbitrary string | joaxcar | 4/10/2024 | XSS | 0 |
25 | Loose comparison, characters appended which still result in type coercion | hansmach1ne | 1/6/2025 | JS | 0 |
| Malformed HTML comments | hackvertor | 1/17/2025 | XSS | 0 |
1143 | Mutated XSS Attributes | IDKdir | 7/13/2024 | XSS | 0 |
| Mutated XSS with img onerror | sqjor | 7/30/2024 | XSS | 0 |
29 | Non-standard characters that break JSON.parse() | DreyAnd | 11/15/2024 | JS | 1 |
| Properties are accessible in a sandboxed iframe | hackvertor | 6/7/2024 | JS | 0 |
| Properties that are accessible on location | hackvertor | 6/7/2024 | JS | 0 |
| Properties that contain URLs | hackvertor | 5/31/2024 | JS | 2 |
| Properties that leak the parent URL even when sandboxed | hackvertor | 6/6/2024 | JS | 0 |
| Quotes | dogspyagent | 7/13/2024 | XSS | 0 |
| React DOM src | IDKdir | 7/15/2024 | JS | 0 |
| Scheme slash alternatives in URL() when a base is used | N25sec | 5/22/2025 | JS | 0 |
5  5 | Tags that DO NOT support HTML comments | hackvertor | 1/26/2025 | XSS | 0 |
| Tags that HTML encode it's contents | hackvertor | 7/16/2024 | XSS | 0 |
