The Unescape function has been used quite a bit to obscure links and code injected in to websites when they have been hacked. There’s been an iFrame injection hack that injects script in to peoples index.html, index.php pages normally in the footer or header. The exploit has also been known to exploit login.php pages and similar where sensitive data such as passwords are entered.
The most common is an iFrame containing a URL that eithers sends personal data to the hacker, or tries to run malware on the users PC.
They can be to a domain name or IP, and the most common place the code is injected is right before the closing