Hi,

lhoward is right about checking the validity of the url's and the text/html.

You should be paranoid, it is a big security risk to allow unchecked text.

One very important one is Server Side Includes, because it's just a html comment

< ! - - #directive parameter="value" - - >.

Server Side Includes are very easily exploitable.