I think you are remembering. In the blog screenshot of myspace, when it says "Javascript is not allowed", it was acting as "a sign, not a cop" [0]. Most websites were riddled with security flaws, to the point that you'll find there wasn't really any comprehensive listing of major vulnerabilities in websites because people didn't really understand that an XSS was a problem until someone actually used it in an attack. This example from 2005 shows that their security to prevent JS was sorely lacking.
I think you are remembering. In the blog screenshot of myspace, when it says "Javascript is not allowed", it was acting as "a sign, not a cop" [0]. Most websites were riddled with security flaws, to the point that you'll find there wasn't really any comprehensive listing of major vulnerabilities in websites because people didn't really understand that an XSS was a problem until someone actually used it in an attack. This example from 2005 shows that their security to prevent JS was sorely lacking.
[0] https://en.wikipedia.org/wiki/Samy_(computer_worm)