Script tags (and others) are being removed (not escaped) from comments.

Currently we sanitize and remove <script>,<textarea>, and other things from comment input. In reality we should create a white list and escape everything not on the white list.