They can use Java functions to stuff with things on your page, trigger mouseover events with loop dialog boxes, insert all the sourse code from another web site so it appears in your site, u can use a href to trick UBB into linking to the script that posts new messages by passing certain parameters, that when clicked by an admin could cause a possible security hole. etc... etc... etc...
Just dont do unless you dont care about security.