John Kurlak uses HTML5’s new JavaScript feature, history.replaceState() to replace the URL of the page with: [RLO] + “lmth.ecruos” When the browser rendered the new URL, the RLO character reversed the letters after it, making the browser display “source.html” in the address bar. When I went to view the source of the web page, my browser tried to view “source of ” .” instead (the characters are the ASCII representation of the hex codes used to represent the character) Then, I simply had to create “” and put my “fake” source code in it. It worked!
Source: https://thehackernews.com/2012/03/exclusive-source-code-spoofing-with.html