When using certain column types in an HTMLCC formula, it might become possible for a list contributor to insert their own JavaScript into a page via the HTMLCC output.
As an example; if the following formula was used (which shows the title in bold):
="<b>" & [Title] & "</b>"
If a user was to change the title of a list item to the following:
<script type="text/javascript">alert('I can run JS code');</script>
The list view would then display a message box whenever the page is opened.
Although this example is harmless, it demonstrates that it is possible for a list contributor to run JavaScript on other user's machines. A more worrying use would be code that accesses the SharePoint web services; which (if the list is viewed by an administrator) would allow the code full access to the SharePoint server's data.
The HTMLCC formula validation will warn you if you include columns that are potentially a problem. The column types pose a possible threat: