Dear list,
tl/dr: Todays releases will escape HTML/JS "inactive" in all page editor contexts per default. If you trust your authors/users you may reactivate this under "Administration > Editing > ILIAS Page Editor".
Long version:
To a certain extent ILIAS allows to included HTML/JS content in page editor content, e.g. in learning modules. This was a desired feature in the early days of ILIAS and enabled authors to extend the features of the standard editor.
In the context of wikis, this has been deactivated since the beginning (HTML is escaped in a way it is not interpreted by browsers), for other parts like blogs and portfolios it is possible to configure this behaviour.
Even if the page editor can log every change in its "page history", there has been an ongoing discussion between the trade-off of flexibility and security (possible XSS attacks), see e.g. https://docu.ilias.de/goto_docu_wiki_wpage_5406_1357.html
Since not everyone is aware of the implications and since this has been reported as a security issue multiple times now, all page editor contexts will escape HTML in a way it is not interpreted by browsers anymore. "Administration > Editing > ILIAS Page Editor" has been extended to allow the configuration for each context individually.
Please note: This is only related to page editor content. HTML Learning modules and uploaded SCORM packages always allow to upload HTML and Javascript content. Do not give permission to create these resources to users you do not trust. Use the RBAC to set permissions accordingly or deactivate these components completely.
Best regards Alexander Killing