alert(1) to win

The code below generates HTML in an unsafe way. Prove it by calling alert(1).

function escape(s) {
  // Warmup.

  return '<script>console.log("'+s+'");</script>';
}
Input
Result

HTML source code


    

Rendered iframe

The code should run without user interaction.

Log output


  
Here be spoilers