Web - Client

I had one very simple doubt, in this challenge (CSP Bypass - Nonce 2) we send some HTML tags encoded in url, but any sane person when he sees the url will feel somethings off right ? so how can we actually still send our payload in url but make it random looking test so the other guy doesn’t sense that its a malicious URL