Crossite scripting with UTF-7 characters in URL is possible.
vulners.com/securityvulns/securityvulns:doc:14238
vulners.com/securityvulns/securityvulns:doc:14518
vulners.com/securityvulns/securityvulns:doc:14521