in theory they could. there's a specific button that lets you edit the html source. if you display it, they can put their own scripts in. if you don't display it, tinymce strips out the <'s and >'s into html entities.
1. Use SeamText. It allows only the safe subset of HTML
2. Develop your own validator (e.g. using this library: http://code.google.com/p/owaspantisamy/) and attach it to the rich:editor in order to check user input against scripts or another unwanted tags.
Thanks for advices guys!