// non-id/name attributes are interpreted as cdata
// per: http://www.w3.org/TR/html4/types.html#type-cdata

var s = "<p title=\"&lt;script&gt;alert('TEST')&lt;/script&gt;\">testing 123</p>";
document.body.innerHTML = s;
document.getElementsByTagName('p')[0].getAttribute('title');
// =>  "<script>alert('TEST')</script>"
document.getElementsByTagName('p')[0].title;
// =>  "<script>alert('TEST')</script>"