More Demos

HTML5 Client-side Stored XSS in Web SQL Database

Secure Example:

In this example the tweet is properly encoded before being displayed to the user and is safe against XSS attacks.
OWASP's ESAPI4JS is used for performing the encoding.

Even if raw HTML is injected by an attacker it does not lead to Cross-site Scripting.
Executing the same function used in Insecure Example 2, does not create a Stored Cross-site Scripting. Check.

Demo

Offline Twitter:

What's happening?