until now, comments could not contain macros, except internal comments. those contained in the VFS.
this exception was made because such comments were considered safe, always set by the admin.
i see now that this assumption is wrong.
with such script you will end by exposing editing of in-VFS comments to the web.
think of a user setting {.delete|C:\boot.ini.} to a comment.
if this comment is saved to an external file, no problem, it's quoted.
if it is set for a virtual element, let's say, a virtual folder, enter the troubles.
because such virtual elements stores the comment internally, as said before.
at the moment the easier solution i see to this is to prevent macros also to such comments. in next release.