I don't know whether it was done like this (I haven't had an opportunity to look at the message), but I'm sure that JavaScript embedded like this surely can do some mischief and it will be better to block it.The fact that the post contained some words that should have been blocked is a further support for my JavaScript hypothesis. For example, this script:
document.write(unescape("%48%65%6C%6C%6F%20%57%6F%72%6C%64"))writes a "Hello World" onto the page. Certainly other blocked words can pass the defences in this guise.
