See more
If a web server sends <script>alert('tsk tsk')</script> in the HTML, the browser will parse (and therefore execute) that JavaScript (OK unless it’s in a textarea or something*).
<script>alert('tsk tsk')</script>
If a site writes text into the page client-side using element.innerHTML then it will be parsed (innerHTML is the hacker’s best friend). If they use element.textContent instead then it will not be parsed (booooo).
element.innerHTML
element.textContent