We try to prevent that since some time with different approaches.
For example, we allow only certain tags in comments (with the help of
strip_tags()), we don’t make links clickable, and use tidy for further
clean up, but we also wrote a little method, which tries to clean the
most common exploit attempts with some preg magic. But I doubt, that we
catch every possible exploit…