User comments are rendered without sanitization, allowing arbitrary HTML/JavaScript injection (XSS).
Comments are properly sanitized/escaped to prevent XSS attacks, ensuring safe rendering.