Keep in mind anything and pretty much everything you see on the web is done with HTML, CSS, and JS. That means that (since you already have access to HTML and CSS via BBCodes), with JS, you can do pretty much everything.
Sounds good, right?
Not at all.
That also means that you can do (and I hate to say this), malicious things to other users. Such as this and [a=#"onclick="event.preventDefault();document.getElementsByTagName('a'.item(2).click();return false]this[/a].
Marking as resolved, since this issue is not negotiable. This is a matter of safety for everybody on the site.