My last name has an apostrophe in it which Apple apparently loves to embed directly into their JavaScript unescaped. For a long time neither I nor Apple could look up AppleCare status on my stuff as they were all linked to my Apple ID. The portal would thus require me to login, but then would just show a partially rendered page as my last name was causing an JS syntax error.
Hmm, it sure sounds like John <script>alert(1);</script>Doe (Bobby Tables' distant cousin) should sign up for an Apple account. An XSS attack which could target the AppleCare reps' machines could be catastrophically bad...
You'd think the apostrophe would be common enough they'd know it could happen, but no.
I love to enter it and see what each vendor and website's backend does with it.
The Staples Canada website, for example, returns it as ' (HTML escaped)
A couple times I've logged in, it seems to escape a new character. I'm currently up to &amp;#39;
Haha yeah I'm fairly used to seeing HTML escaping in my name.
The weirdest case I've had with that is the Six Flags mobile app. To add a season pass you need to provide your card number and last name. For the life of me I couldn't get it to validate, but I saw they showed the HTML escaped version in their e-mails to me. Turns out I had to type out "'" into their input box for my last name as that's apparently what they put in their database.