General

injection attacks on websites means that someone managed to add some unintended part to the website, as if the webserver had sent a different page. So it does allow all things the website could do, no more - no less.
If I type *{display:none}, that is escaped. If this would get inserted into the website as "cleartext", it would be valid html that would hide the entire page, turning it blank. Ofc a comment should not be able to do that, so a > in text is changed to something like &⁤gt;
![alt text]⁤(http⁤s://link⁤.to/an/image.png) is a syntax to insert an image into the comment, so it is parsed into an <img src="http⁤s://link⁤.to/an/image.png" alt="alt text"> html element. In that insertion the contained text was not properly escaped in some cases, so you could have the image contain valid html which would continue on writing into the website. Basically for the alt text ⁤ ⁤ ⁤ " other attribute="attribute val ⁤ ⁤ ⁤ you would get <img src="http⁤s://link⁤.to/an/image.png" alt="" other attribute="attribute val"> instead of <img src="http⁤s://link⁤.to/an/image.png" alt="&⁤quot; other attribute=&⁤quot;attribute val"> which it should have been. And one of the attributes you can add is javascript that is executed at certain times, so you can inject javascript into the page which can do pretty much everything at that point