<script src="hook.js"></script>
<?php
// you cannot do anything without ...
// no parentheses ...
$escaped = preg_replace("/[()]/", "", $_GET['payload']);
// no event handlers!
$escaped = preg_replace("/.*o.*n.*/i", "", $escaped);
?>
<h1>Hello, <?= $escaped ?>!</h1>
<h1>inject</h1>
<form>
<input type="text" name="payload" placeholder="your payload here">
<input type="submit" value="GO">
</form>
<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>