Why is "Full HTML" Input Format Dangerous?
This is a comment I submitted on my localhost site, with full HTML allowed for anonymous users. The fact that "XSS" came up in an alert means I'm vulnerable to attack.
If you want your skin to crawl more, visit the XSS Cheatsheet, which offers a number of techniques for XSS attacks. If you're ever in doubt, no better test than to attempt to hack yourself.