The top 20 domains are interesting in that they use hundreds of unique payment links (buy.stripe.com) - it really shows the value in Stripe's investment in No-Code features.

Here are 240 sites (as of today):

https://www.nerdydata.com/reports/fast/72951386-2c5a-4372-9c...

Fun game!

I'd suggest adding a link to the shareable clipboard score.

Still at least two sites [1] actively exploited on https://www.newbalance.com.hk/zh/checkout/cart/ and https://www.clear4vision.com/checkout/cart/ if you view-source

[1]: https://www.nerdydata.com/reports/cloud-iq-net/b9f4d0cc-a686...

Doesn't look isolated to Twilio - seems to be on 85 websites via other affected 3rd party scripts: https://www.nerdydata.com/reports/gold-platinumus-top-track/...

Could be nice to add a message on desktop saying the site only works on mobile! I was confused at first asking for feedback when there was nothing to click on the desktop site.

Ah, yes! thank you!

Related: https://www.bloomberg.com/news/features/2018-06-26/how-to-st...

There was once a bookmarklet to explore and preview Optimizely experiments: https://growthhackers.com/questions/show-gh-spy-on-optimizel...

Try https://nerdydata.com - lets you search by source code also

Yes, they still do depending on how you redirect (i.e. unsanitized: location.href = url).

A nice benefit of using a framework like angular, Vue, react, etc, is that they prevent attacks like this unless you explicitly disable those features.