For comparison, see the same page but without CSP index.html

This page does NOT allow inline JavaScript using CSP

Attack example

Good feature - allows the user to enter text markup and then add it to the DOM. The text area is read-only for this demo. Click the button below to link this text into the page. Notice the markup is respected.

this is a <strong>tag</strong> and this is <em>emphasized</em>.

Good feature used by an evil attacker

this is a <strong>tag</strong> and my script.
    Run it from your page <script>alert('You have been hacked')</script>.