I have committed a new plugin "serendipity_event_xsstrust" to our additional plugins module.
Thanks to Absynth, I got an idea to create this plugin. It can be configured by the site owner to tell, which authors are trusted. Only those trusted users can insert HTML code. All other authors get htmlspecialchars() applied to their code and can no longer exploit code.
If you don't want the plugin to break transformed BBcode or Emoticons, you need to stack the plugin BEFORE any other Markup related plugins, so that the htmlspecialchars() only gets applied to the user input and not any plugin outputs.
I urge the users who run an open membership blog to think about using this plugin. Have fun. :-)