I recently figured out, that iframes are not filtered (wpmu nightly-build from 09-26). That way users can put thirdparty-code into their posts. I recently had to delete a forum, that was inserted :-(
I have commented out the iframe-array in kses.php line 21.