Enabling HTML for users? That's a bit insane, you know in IE 6 you can crash the browser in 7 characters (a bug with the <style> tag), but ofcourse the main vulnerability is JavaScript, where a script could easily execute to grab the cookie information, and post it through a hidden iframe to another website, or even make you go to your own profile and jack your user settings up, the possibilities are endless when it comes to it really.
If you want users to be given more powerful options, my suggestion is to create bbcodes via the acp.
- Zero Tolerance