Well, the problem is that when you allow html injection of any sort from outside sources, it introduces inherent security risks due to the nature of how this markup is used. HTML is essentially "compiled" by the browser and there's really no way to sandbox individual posts as isolated from the real server "code".