I only recently found out about the now weeks-old cross-site scripting vulnerability in Blosxom writeback plugin. Since the comments plugin, which I use, is based on the writeback plugin, it was logical to assume that it would also be vulnerable, and it is.
I adapted KyleM.xwell's patch for comments; here is the adapted patch. It works for me, but as always, there is no warranty, not even the implied warranty that the patch patches the vulnerability.
Update: Note that the patch only filters new comments; you need to manually check your existing comment base.