It looked like Movable Type was no longer sanitizing comments, which it did until version 3.2.
Since both our installations were heavily modified, we were not sure whether it was due to our code modifications or an inherent Movable Type problem. I checked at a number of other weblogs and found out that script injection was a problem at some but not at others.
I brought this bug to the attention of Six Apart, the company that makes Movable Type immediately. They confirmed the issue and clarified that it affected only those users who had disabled the nofollow plugin distributed with MT 3.33. They also asked me for 30 days before making the issue public so that they could work on a fix.
While there has not been any announcement by Six Apart on this matter, I expect that they would fix it in the bugfix release 3.34 currently being worked on in their code repository.
Meanwhile, if you are using Movable Type 3.3, here are your options. If you have the nofollow plugin enabled (which it is by default), you shouldn’t have a problem. Otherwise:
- Enable the nofollow plugin.
- Edit your templates by adding
sanitize="1"to the MT comment tags, like this:
UPDATE: It looks like the sanitize function is completely disabled when you disable the nofollow plugin as it isn’t sanitizing my entry text either.
UPDATE II: Movable Type 3.34 fixes the problem.