Let's take this simple angular snippet:
<input type="text" ng-model="name" />
<p>Hello {{name}}</p>
If I enter the text <script>document.write("Hello World!");</script> it looks as this is not executed but displayed as is. But if have a look at the generated HTML I see the script tag without any escapes.
I expected to see the angular brackets as HTML escape characters. So how does angular make sure this code is not executed?
(See Plunker http://plnkr.co/DeUCP74RZSGE2ypLqyRY)
It is actually html encoding it, which is why it isn't running. If you're using the chrome dev tools, it is showing them as regular angle brackets just for readability.
If you right click on the value and click "Edit as HTML", you'll see the content html encoded.