The demo uses a fake post list in JavaScript instead of a real database, so the stored XSS section stays safe to run.
const storedPosts = [
{
user: 'alice',
initials: 'AL',
content: 'Just joined this platform.',
injected: false
}
];function renderStoredFeed() {
feed.innerHTML = storedPosts.map((post) => {
return escapedMarkup;
}).join('');
}