This is a xss script:
<svg><script>alert(1)</script></svg>
The code between <script> tags will be translated to alert(1) by the browser and executed.
But if I don't use a <svg> tag the code won't be translated to script. 
Can anyone tell me why this happens? How does <svg> tag work?
to get a reference to an embedded SVG document instead. The best way to get access to the Document representing an SVG document is to look at HTMLIFrameElement.contentDocument (if the document is presented in an <iframe>) or HTMLObjectElement.contentDocument (if the document is presented in an <object> element), like this:
A SVG script element is equivalent to the script element in HTML and thus is the place for scripts (e.g., ECMAScript).
If you want to reference a whole SVG file, SVG 2 (when implemented in browsers) will allow to reference another SVG file without any fragment identifier: New in SVG 2: An href without a fragment allows an entire SVG document to be referenced without having to ensure that it has an ID on its root element.
The best way to get access to the Document representing an SVG document is to look at HTMLIFrameElement.contentDocument (if the document is presented in an <iframe>) or HTMLObjectElement.contentDocument (if the document is presented in an <object> element), like this:
The use of character references within script tags is explicitly disallowed by the HTML parser according to the HTML 5 specification.
HTML5 has a separate script parsing mode as one of a number of tokenisation modes that vary with context. Script parsing does not allow character references, some of the other parsing modes do.
SVG is based on XML where the rules are much simpler and more straightforward. Basically character references are allowed anywhere because there aren't different context sensitive parsing modes.
For SVG in html, the HTML specification says
The svg element from the SVG namespace falls into the embedded content, phrasing content, and flow content categories for the purposes of the content models in this specification.
In other words, parse all SVG text as phrasing content. All SVG is a single custom tokenisation mode for the HTML 5 parser.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With