Actually, the vulnerability that it opens has nothing to do with HTML or BBCode. It has to do with the possibility of malicious ActionScript embedded in the "videos". Luckily, it's not too much of a danger ATM, as most scriptkiddies haven't really taken notice of it yet. Then again, nothing is ever a problem until all hell breaks loose.
