Deseret characters are located within U+010000..U+10FFFF range and use surrogate pairs even in UTF-16, i. e. use two 'words' (erroneously called 'char's in Java).
`constructor` is the only lowercase identifier that is `in` all JavaScript objects, and can be involved in obscure XSS so can be used to abuse code that uses JavaScript objects as lookup tables.
```js
var empty = {};
if ('constuctor' in empty && empty['constructor']) {
// runs
}
empty['constructor']['constructor']('alert(1)')(); // Parses and runs
```
Made a couple of changes to the format strings:
- added more %s'. increases the chance of crashing. Sometimes the stack layout is just right and 1 or 2 %s will not cause a crash
- added %n. Should cause a crash, even if several other specifiers don't
- added %@, this is for objective-c format functions.
The massive adoption of Promises made many programs potentially vulnerable to "accidental Promises".
In short, a program might take user input and produce an object as such:
```js
{
[userInput]: AnyFunction
}
```
...when the object above is given to a Promise, nothing breaks until the user input is exactly `"then"`. Once it's *then*, a Promise will assume that the object as another Promise, and in trying to assimilate this accidental Promise the function will be called. After that, one of three things will happen
1. The function calls one of the continuations provided by the Promise, and the program continues with some unexpected data (this is highly unlikely)
1. The program hangs and never terminates (if the function stores input in memory)
1. The program terminates early, failing to execute any other chained Promises (the more likely case)
For more in-depth information, please refer to the appropriate sections in the articles I've written regarding this issue:
1. [Broken Promises - Specialized API](https://medium.com/@avaq/broken-promises-2ae92780f33#6828)
1. [A clarification with examples to the article above](https://medium.com/@avaq/im-referring-to-the-fact-that-a-promise-is-eagerly-evaluated-as-opposed-to-lazily-evaluated-5385cc519e3b#33cd) (see the part under "I never found myself creating an object with a then method")
These two characters change byte length when lowercased which is quite
unique behavior. This can potentially cause issues where assumptions
about input length == length after processing.