Script tags (and others) are being removed (not escaped) from comments.
Currently we sanitize and remove <script>
,<textarea>
, and other things from comment input. In reality we should create a white list and escape everything not on the white list.