The possibility to inject HTML code gives hackers a wonderful opportunity for XSS attacks. Heck, even a poor BBCode parser can be exploited this way.