 25  25 | Characters allowed between variable name and equals sign | 0x999-x | 4/9/2024 | JS | 0 |
| test | 0x999-x | 4/10/2024 | JS | 0 |
| Characters allowed between HTML attributes | 0x999-x | 4/10/2024 | XSS | 0 |
4 4 | Characters that can break out of a single line comment | 0x999-x | 4/10/2024 | JS | 0 |
| Characters that can start an HTML comment | 0x999-x | 7/18/2024 | HTML | 2 |
20 | HTML tags and attributes that can be used to access the URL | 0x999-x | 11/4/2024 | XSS | 1 |
| Unicode characters with a decomposition of 2+ ASCII characters and are registerable domains | 0x999-x | 5/7/2025 | XSS | 1 |
4 | HTML elements that inherit properties which return the full URL | 0x999-x | 11/14/2024 | XSS | 0 |
2 2 | HTML tags that can clobber the credentials part of the URL | 0x999-x | 11/4/2024 | XSS | 1 |
1 | Characters that can break out of an inline style with single quotes | 0xdef1ant | 7/13/2024 | XSS | 0 |
1 | Characters that can break out of an inline style with double quotes | 0xdef1ant | 7/13/2024 | XSS | 0 |
1 | Characters that can break out of an inline style background-image url | 0xdef1ant | 7/13/2024 | XSS | 1 |
| JavaScript Scheme starting with http | BinaryScary | 7/16/2024 | JS | 1 |
| JavaScript Scheme starting with https:// | BinaryScary | 6/28/2024 | JS | 4 |
2 | Bytes that will scramble ISO-2022-JP | Cillian-Collins | 12/26/2024 | XSS | 1 |
2 | Bytes that will normalize ISO-2022-JP | Cillian-Collins | 12/26/2024 | XSS | 1 |
1 1 | < removal bypass | Device1306 | 10/9/2024 | HTML | 0 |
29 | Non-standard characters that break JSON.parse() | DreyAnd | 11/15/2024 | JS | 1 |
8 | Characters that expand upon toUpperCase() | DreyAnd | 4/10/2024 | JS | 0 |
| React DOM src | IDKdir | 7/15/2024 | JS | 0 |
