XSS attack is a type of vulnerability where a bad actor injects malicious code into an application, that is unintentionally run by the browsers.
HTML type fields are most susceptible to these attacks in ServiceNow where a <script> tag for instance can trigger an executable code and cause harm to the system.
For such reason, though ServiceNow has taken some steps where some tags are removed on saving or being received through integration, additional effort or attention needs to be taken while dealing with HTML fields.
There are other functions as well to sanitize the HTML before inserting as a best practice to keep the instance away from the XSS vulnerability.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0786043
