Today I was breaking a web app that build up some JS using querystring values that had been run through HttpUtility.UrlEncode.  Since I was not 100% sure what leverage that got me I decided to dig deep and look through the disassembly of the function.  Turns out you get a allot of characters to play with including….single quote (’)!! Yay for me :)

Characters not encoded by UrlEncode:

avatar download

‘
(
)
*
-
.
_
!