Movable Type 3.33 has a script injection bug if the nofollow plugin is disabled. Comment text is no longer sanitized as it should be.