I have just upgraded, and assumed that this would be fixed, but it hasn't!
If you want to be terrified, give it a try yourself.
All someone needs to do is put this in a comment:
...and anyone who visits that post will be redirected to another site that could do all sorts of bad things, like load malware, or phish for info, etc...
PLEASE PLEASE PLEASE patch this!
In the meantime, I guess I have to write a plug-in to sanitize comments? How could this have been left open for soooo long?!