Consider a social networking app where a user can make a post. If another user submits a post with a script tag, it can execute malicious actions when rendered on another user's browser.
In an online store, an attacker could manipulate the search query string to execute malicious scripts when a targeted user clicks on a manipulated link.
[
add
]
[
|
|
...
]