For the XSS attacker, couldn't they just use `theInput.removeAttribute("writeonly"); alert(theInput.value);`?
Or is this some kind of new "un-removable attribute"?
For the XSS attacker, couldn't they just use `theInput.removeAttribute("writeonly"); alert(theInput.value);`?
Or is this some kind of new "un-removable attribute"?