Yeah, we can never have HTML enabled on any of our forums on this site, as it's essentially a security risk to be enabled on public forums because of how it allows for javascript.
But that can't hurt your system, only possibly some drive by. If you enabled a forum that had to have Admin approval to post you could also prevent that. Then they could post, you view it, then allow or don't allow. Where's the harm?
