For comparison, see the same page but secured index-secure.html

Inline javascript is a security risk

This page allows inline javascript, like the

<script>some code</script>

This is very insecure, because someone unsanitized use input might insert a script tag and then execute any source code on the page

Attack example

Good feature - allows the user to enter text markup and then add it to the DOM. The text area is read-only for this demo. Click the button below to link this text into the page. Notice the markup is respected.

this is a <strong>tag</strong> and this is <em>emphasized</em>.

Good feature used by an evil attacker

this is a <strong>tag</strong> and my script.
    Run it from your page <script>alert('You have been hacked')</script>.