Ah - it comes down to "properly configured", and "well written applications." As part of my job I, not to put too fine a point on it, hack companies as part of security audits, and as yet my team has rarely seen a well configured server, from a security standpoint. To reduce security further, allow the web server to display user-defined data (ie stuff you've posted.) The problem isn't so much html, as the fact that you can break the web server or the browser by giving them malformed strings or unexpected data. For a very simple example which most people should have patched anyway, see the Nimda worm. This wasn't exactly an html issue, but the html request broke server security. Malformed data strings in the URL are pretty easy to watch for, but how is the UBBcode going to spot malicious data in a posting? It ain't clever enough. It wil try to display it - leading to potential data disclosure or server attack.
For tools and exploits see astalavista.box.sk, but be warned - a lot of the sites listed there will actively try to attack your browser so protect yourself.