I would also advise never enabling HTML posting for any user you wouldn't trust with full access to your system, they'll be able to embed JavaScript and flash and make any pages their posts appear on completely unreadable (just imagine shoving a </body> tag randomly in a random post, and going in to have to clean it up).
It's why we have the BBCode system.