I've skimmed through the docs. Each tag that you can use is a PHP class. It knows exactly which attributes it can take and it can do some validations on the attribute values. I'd assume that it knows when there's supposed to be JS in an attribute value and when there's supposed to be text.