Anytime users are allowed to add HTML to a site via front-end widget there is an opportunity for an XSS attack. Many clients require/request the ability to enter HTML directly either directly or indirectly through a widget such as; CKEditor. In more cases than not this should be behind authentication. You shouldn't allow users who don't have a vested interest in the site and/or company the flexibility to add any HTML they want. General public users should either be limited to a small set of HTML tags, bbcode, or plain text. However, in theory site admins *should have full flexibility to an extent. Though it is always a fine line when providing any none-developer to much power. Particularly those who don't know their limits. From what I recall CKEditor has a server-side counterpart that can be to limit certain tags from being valid input. Though I haven't messed around with the inner workings/configuration of CKEditor in a while.