JSLR uses randomized attributes and tags to prevent an attacker injecting malicious content. The HTML is parsed via the DOM before it's rendered and only legitimate attributes make it through. It's possible to prevent DOM based injection inside allowed script and attributes by randomizing quotes.

Try to inject this page DOM injection Anchor injection

Legit functions

Legit Tags

Test anchor no javascript protocol allowed

javascript protocol allowed

Access this text

List of glory

  1. @securityshell x5
  2. @cgvwzq x4
  3. @0x6D6172696F x3
  4. @irsdl x2
  5. @kkotowicz
  6. @hasegawayosuke
  7. @kinugawamasato
  8. @shafigullin
  9. @masa141421356
  10. @disenchant_ch

innerHTML debug check