[maybevain]

It seems they are fetching the comments from the Hacker News Algolia index. Curiously they seem to un-sanitize the comment content before inserting it to the page DOM as one of the sibling comments proves.

The Algolia index contains the comments encoded as HTML entities, so they should be safe to insert as is, but seems like the page is first converting it back to HTML, which causes the script and span tags to render as HTML instead of text like here on HN.

[jerf]

Algolia has some rough edges. I've tried to work with them on a couple of occasions but it's a bit of a harder problem than meets the eye because apparently Algolia gets a feed directly from HN with the original comment contents as they were typed into the text box rather than the rendered HTML version of the comment, which ironically would probably be easier to deal with. I have a particular comment discussing HTML injection that I've worked with them twice to stop rendering as actual script tags, which means, yes, it actually regressed once.