There is a crafty little XSS hole in the cloud widgets of several big name content management systems. It takes advantage of Flash files that allow arbitrary HTML tags to be injected...sigh.
WordPress, Joomulus, JVClouds3D, Joomla and Blogumus as well as BlogEngine.NET and Kasseler CMS.
Read the article on it
So be careful what you put out there...encode it before you just slap it into your handy-dandy cool cloud tag thingy.