I don't have the full details...
but it seemed that all you had to do was wrap your script in a <script> tag.
epic fail?
Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site. The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that …
This post has been deleted by its author
Please note that Google hasn't said "The bloody stupid users are using Youtube wrong", not has Sergey Brin or Larry Page posted a comment saying "Its just common sense to not search for Justin Beiber".
They stopped the problem spreading and then fixed it. A quick, efficient and sensible response. They _may_ be becoming something of a potentially evil empire, but at least they're efficient about it! Look at the mess Labour made of the same thing...
Thumbs up, Google.
I have read many news about this vuln and no one credited TinKode from Romanian InSecurity Team who discovered first the issue and published details and a proof-of-concept on his blog on 3rd of July (http://blog.insecurity.ro/youtube-html-code-injection/)
The report that I saw, and not on a Ms. Bieber video (who is she, anyway?), said:
"Your computer is f***ed. You can thank <name> for this devastation."
I dimly recall the name sounding Germanic, and there were no asterisks. Did NoScript prevent a payload from another site, or was it just a Scary Message?
I spent Sunday afternoon running all my anti-whatever tools "just to be sure". No harm no foul. :-)
BTW, I'm quite amused by the message saying to delete the System32 folder. The worrying thing is how many people may well have just done that...