User profile page vulnerable to Cross Site Scripting (XSS) in flaskBlog

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: {{comment[2]|safe}}. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the |safe tag from the HTML above. No fix is is available and users are advised to manually edit their installation.