3
The problem is because you must enable html in the forum to use the wisiwyg editor.
I know XOOPS can block javascript code, but for example if anybody makes a table and he doesn't close the <td> or <tr> labels, it can destroy the design.
In my newbb I have disabled the htmldesign option in spaw editor but I think it's a partial solution.
I'm not sure about php code injection.
Because "I'm not sure" I've said that it can be usecure.
(En español me expreso un poco mejor, espero que me hayas entendido XDXD)