Here's the code for displaying a text popup on a website: That code is just text, so if Reddit simply copied the text I just posted into the web page, anyone who visited this comment section would see a popup that says "Hello". Instead, Reddit modifies the text I wrote so it looks the same but is no longer valid code. If a website forgets to modify text like this, it opens up the possibility for a malicious person to insert code into comments. A malicious person wouldn't display a popup though, they'd write a program that grabs login data and sends it to a server they control. That's a cross-site scripting attack, or XSS More on reddit.com

One of the sneaky things about XSS is that it can fly under the radar if you're not careful with input validation and output encoding. It's like leaving your front door open for anyone to waltz in. Always sanitize user inputs and be cautious with third-party scripts, they're not as friendly as they seem! More on reddit.com

There are 3 basic types of XSS: reflected, stored and DOM based. Stored XSS is an attack on a site that allows user to submit and store HTML in some way (eg in a comment or user profile). If the input is not properly filtered, an attacker can embed malicious JavaScript in the HTML. Then anyone who visits the site and happens to bring up that user's comment will get the payload. Reflected XSS is when a site takes user input and embeds it in the page, but without storing it on the server. An example would be a multistep form that uses your answer to the first question to determine the next question, eg "what's your favourite food?" If the user answers "pizza", the form then asks "what's your favourite pizza?" But the user answers with , the form will ask "what's your favourite " if it doesn't correctly filter/validate the user input. It's "reflected" because the user's input is reflected back to them in the HTTP response from the server. But since this isn't stored on the server, the attacker would need to trick the user into opening a crafted URL with the malicious answer embedded in it. DOM XSS is similar, but the difference is that the HTTP response from the server doesn't change, it's only what happens on the client side that differs. This is where the site takes user input and uses it directly in JavaScript on the page. The user input never hits the server, so the server-side code can't filter/validate the input, instead the JavaScript itself must do it. Again, you would need to trick a user into opening a specially crafted URL to execute this attack. Aside from safely encoding/filtering/validating user input in code, the other way to prevent these attacks is by implementing a strict Content Security Policy on the web server that only allows scripts with the right nonce or hash to be executed. More on reddit.com

You mean things like codepen or jsbin? All of the JavaScript code you run is run locally in your browser, so you can't do harm to anyone except yourself. More on reddit.com