Javascript injection in comments #252
Description
It looks like a comment on https://jsperf.com/bind-vs-other-ways forces a redirect to a movie download
<object class="frame" data="http://tinyurl.com/yc76oyab" type="application/xhtml+xml"><param name="allowscriptaccess_denied" value="never" /></object>