And the ruby regex newline vulnerability that featured in one of the later XSS levels was also present in an earlier level, but wasn't necessary for the intended vector, so I wondered if it was an unintentional oversight, or left as an alternate exploit, or just a red-herring? (being intentionally vague so as not to spoil it for anyone...)