This reminds me of a demo I saw Billy Hoffman[1] do a while back at a conference. He demonstrated a way of embedding whitespace in a forum post that is mapped to a malicious JS method injected via XSS. The point was to circumvent HTML sanitation attempts to strip raw JS code.<p>This tool could be used for something similar. Just replace the semicolon token[2] with something less obvious (say '\t' for example), and you've got a pretty interesting tool.<p>[1]: <a href="https://en.wikipedia.org/wiki/Billy_Hoffman" rel="nofollow">https://en.wikipedia.org/wiki/Billy_Hoffman</a>
[2]: <a href="https://github.com/RodH257/SemicolonScript/blob/master/Default.htm#L41" rel="nofollow">https://github.com/RodH257/SemicolonScript/blob/master/Defau...</a>