I thought I'd post this here - basically, I persuaded a writing group to set up a vBulletin. They'd like to have HTML active but I've warned of the possibility of there being a security risk in allowing HTML to be active on the forums.

My question is this: what steps can I take to help them protect themselves if they want to allow HTML on their vB 3? Is there anything that can really protect against any malicious use of HTML tags the site can use?

About the only measure you can take is only giving the html tag to trusted users in trusted usergroups, however if one of of these members went rouge and wanted they could do some damage to your forums.

Ensure that all acounts with admin access are 'locked down' with so the acounts could not be edited via the admin cp even if they are accessed, this will ensure you will not lose control of your board, but dose not protect your posts etc.

IMHO html is just not worth it, attempt to emulate what you need via bbcode whenever possible.