True as that may be, this doesn't really demonstrate that— it's just 535 different ways to access `location`. A regex would trivially disable every one. Of the things on that list.
I'm not saying there's a trivial regex solution to XSS, I'm saying there's a trivial regex solution to disable every one of these so-called "ways" of reloading the page: s/[\.\[=]//g will do the trick.
I mean, s/location//g will do the trick too, but I was aiming a little more generic.
In case the import of this epic retort is lost on anybody: in the real world, you have to pick and code your defense and then the attacker, who gets essentially infinite time to observe the behavior of your defenses, gets to pick their attack string(s).
Do not rely on regular expressions or blacklists to sanitize code for you. It will not end well.
...and if that were on this list of ways to reload a page in JavaScript that I'm talking about, it would be relevant here.
Look, just read what I'm saying. I swear I know what I'm talking about, and I swear I'm not saying you can reliably sanitize JavaScript with a regex. Really.
This must be like the FizzBuzz thing— programmers just can't resist a challenge, even if it is explicitly marked as not being a challenge.
See, there's another clever trick that actually does something interesting. Really, there's a whole class of toString solutions missing from this list... but I guess you have to stop at some point.