To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.
Watch on YouTube
<div data-cole="button" data-text="I am a button"></div> <script> var buttons = $("[data-role-button]"); buttons.html(buttons.attr("data-text")); // this is a script gadget </script>