For comparison, see the same page but secured index-secure.html

Inline javascript is a security risk

This page allows inline javascript, like the

<script>some code</script>

This is very insecure, because someone unsanitized use input might insert a script tag and then execute any source code on the page

Attack example

Good feature - allows the user to enter text markup and then add it to the DOM. The text area is read-only for this demo. Click the button below to link this text into the page. Notice the markup is respected.


Good feature used by an evil attacker