Cross site scripting (XSS)
Strings are escaped by default, so this unsafe text is not interpreted as html:
<script>alert("oops, we've been hacked!")</script>
Strings are escaped by default, so this unsafe text is not interpreted as html:
<script>alert("oops, we've been hacked!")</script>