Defenses: No server-side reflection. Vulnerability is in client-side JavaScript that reads from location.hash.
This page has no server-side reflection. The vulnerability is entirely in the client-side JavaScript. Check the source!
Use the URL hash (#) to inject content.
Waiting for hash input...