HTML entities not handled on a social network site based on php...
that's you can post with a <script> and it will run when published.
Everybody with conn or access to the post will be affected

Oh god, this reminds me of a Stack Overflow question where a guy wanted to run JavaScript from a string. I asked what for; he said to run js people entered into a db. People told him to use eval and I begged him please, don't do this... I don't think he listened to me.