Imagine an HN-like page is written in this and uses unchecked in some code path for displaying user comments.
I comment something that exploits that code. Then when you come along and view my comment. Now whatever my exploit does is running with your permissions instead of mine.
No, the exploit would be in the comment text. You're exploiting a bug in the comment display code when it displays your comment to another user to do something that the comment display code isn't supposed to do.
Much like exploiting a C program that handles untrusted text and doesn't bounds check it. You aren't supposed to be able to run any code at all, but a vulnerability lets you make the program do something it isn't supposed to.
Some of the easiest exploits would be prevented since you probably can't overwrite code like you can (or used to be able to, a lot of platforms have added protection against this) in C, but some exploits are still possible just by overwriting other variables with values that the program doesn't expect.
Imagine an HN-like page is written in this and uses unchecked in some code path for displaying user comments.
I comment something that exploits that code. Then when you come along and view my comment. Now whatever my exploit does is running with your permissions instead of mine.