Setting your Content-Security-Policy (CSP) header will usually prevent most of the scripts from running, as you should have only allowed trusted websites to do cross-site requests.
The easiest example is to test with this username
<!-- use this as your username --> <script>alert('test')</script> <!-- or maybe add some tag after your username --> <span onload="alert('virus')">Calistro</span>
- in a chat, you may use strip_tags (PHP)
- if you want to escape the HTML
You need to serialize the data, either before reading it, or before storing it and reading it.
# of course this URL won't work https://site.com/?id=<script>code...</script>
To summarize, a hacker is sending you a link to a website with a vulnerability with some code inside the link to exploit the vulnerability and hack you.