Editing an html page seems to allow cross-site scripting and webdot code similar to:
alert("cookie:"+document.cookie);
If I found an employee inserting cross-site scripting into their content they wouldn't have a job for very long. Additionally, their content must be reviewed/approved before publishing.