There is a major security hole in the comment system that allows XSS attacks. I've confirmed it on my default installation (with cocomment enabled). Is this a known issue? I'm gonna do some more testing with non-default installations but if you would like to help me on this, just comment a post with:
<script>alert(666);</script> and see if you get it interpreted.