| Characters allowed inside javascript protocol and still returns the hostname | RenwaX23 | 7/21/2025 | JS | 1 |
 4  4 | Characters allowed before the JavaScript protocol colon | RemakingEden | 3/3/2025 | XSS | 0 |
| Scheme slash alternatives in URL() when a base is used | N25sec | 5/22/2025 | JS | 0 |
| URL domain dot alternatives | JorianWoltjer | 9/10/2024 | JS | 5 |
5 | Characters allowed between multiple HTML attributes | JorianWoltjer | 9/12/2024 | XSS | 2 |
2 | JIS X 0208 bytes that produce ASCII characters | JorianWoltjer | 9/22/2024 | JS | 1 |
| Characters encoded by escape() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURI() | JorianWoltjer | 7/4/2025 | JS | 1 |
| Characters encoded by encodeURIComponent() | JorianWoltjer | 7/4/2025 | JS | 1 |
14 | Active formatting elements | JorianWoltjer | 5/1/2024 | XSS | 0 |
1 | Characters that change length on .toLowerCase() | JorianWoltjer | 4/11/2024 | JS | 1 |
4 | Entities allowed between two forward slashes | InsertScript | 9/19/2024 | XSS | 1 |
| Characters allowed in colon entity | InsertScript | 9/19/2024 | XSS | 0 |
| Character that closes HTML tag | InsertScript | 4/2/2024 | HTML | 0 |
1 | characters allowed between exclamation mark and greater then | InsertScript | 6/18/2024 | HTML | 0 |
31 | Characters appended at the end of TLD within URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
30 30 | Characters prepended to URL, which yield in the same host property | InsertScript | 1/10/2025 | JS | 0 |
| Characters prepended to URL host. check if difference between URL and a tag | InsertScript | 1/10/2025 | JS | 0 |
| characters after slash that make a http protocol | InsertScript | 4/3/2024 | XSS | 0 |
| Character allowed after onerror event | InsertScript | 4/2/2024 | XSS | 0 |
