gistfile1.js

// non-id/name attributes are interpreted as cdata
// per: http://www.w3.org/TR/html4/types.html#type-cdata

var s = "<p title=\"&lt;script&gt;alert('TEST')&lt;/script&gt;\">testing 123</p>";
document.body.innerHTML = s;
document.getElementsByTagName('p')[0].getAttribute('title');
// =>  "<script>alert('TEST')</script>"
document.getElementsByTagName('p')[0].title;
// =>  "<script>alert('TEST')</script>"

gistfile2.js

// there is no way to distinguish, on read, any permutation of encoded or non-encoded values

var s = "<p data-foo=\"\<script\>alert('TEST')&lt;/script&gt;\">testing 123</p>";
document.body.innerHTML = s;
document.getElementsByTagName('p')[0].getAttribute('data-foo');
// =>  "<script>alert('TEST')</script>"


var s = '<p data-foo="' + "<script>alert('TEST')</script>" + '">testing 123' + '</p>';
document.body.innerHTML = s;
document.getElementsByTagName('p')[0].getAttribute('data-foo');
// =>  "<script>alert('TEST')</script>"

gistfile3.js

// setting and reading in-line yields the entities intact

var s = "<p>testing 123</p>";
document.body.innerHTML = s;
document.getElementsByTagName('p')[0].setAttribute('data-foo', "&lt;script&gt;alert('TEST')&lt;/script&gt;");
document.getElementsByTagName('p')[0].getAttribute('data-foo');
// => "&lt;script&gt;alert('foo')&lt;/script&gt;"

gistfile4.html

<html>
    <head>
        <meta http-equiv="Content-type" content="text/html; charset=utf-8">
        <title>HTML Attribute</title>
    </head>
    
    <body>
       <p id="&lt;script&gt;alert('TEST')&lt;/script&gt;">testing 123</p>
       <p class="&lt;script&gt;alert('TEST')&lt;/script&gt;">testing 123</p> 
       <p title="&foo;script&gt;alert('TEST')&lt;/script&gt;">testing 123</p> 
    </body>
</html>