However, this is just one possible scenario. In any case, fake information can be injected into the web site to make it appear as something different.
The correct fix is of course to encode user input properly before displaying it on the web site, just like it's done with user input meant to be used in SQL statements (in SQL injection attacks, this is not done properly). Normally, languages used to design web applications already provide means to encode user input for use in web sites; for example, Perl has encode_entities() in the HTML::Parser package.
The claim that the problem is only in the browser is of course entirely wrong. The web site contains additional information which is not supposed to be there, and the browser cannot tell the difference between wanted and unwanted content. If the input is not properly sanitized, this of course means that the browser will interprete it wrong.