I am sure it has been fixed, as its an old version
url removed

but how could you actually post malicious script code??

Through input boxes, ex: where you type in your name if it was done incorrectly you could type in < script >error(hi)< /script >, that's not one that would hurt anyone else but this happened once at Motorola.