This is a two-step vulnerability: first, prompt injection causes the LLM to generate malicious HTML/JavaScript; then, insecure output handling (rendering the LLM's response as raw HTML) allows the script to execute in the user's browser, resulting in XSS.