Researchers from a Romanian security team (InSecurityRomania) have revealed a critical persistent cross-site scripting (XSS) vulnerability which affects YouTube's comment field.
Now the issue appears to be corrected (Google's Official Statement) but it is possible that malicious users have already exploited it to redirect unwitting YouTube users watching videos to drive-by download pages in order to infect them with malware, adware and spyware. Blackhat internet marketers may have already exploited it on the most viewed YouTube videos to drive significant traffic to their websites.
TinKode has blogged more about it on 3rd of July, saying that you can activate HTML in comments with:
He also provided further examples of what it could be done:
HTML Code Injection
<script><h1> Visit Insecurity.Ro – ISR Security Team <blink><marquee><br><br>TinKode