... can't be rendered as a script when it's displayed it's not an attack against the server, but against fellow users of the service nowadays the web platform offers you tools so that you can block scripts without actually having to escape the input on the server-side but while some of those are good, ...