Just checked this out recently after I read a question here on the forums. For comments, posts, (and a number of other input forms), WordPress uses the kses filter. Google it for some info.
To see what HTML is allowed, you can go into wp-includes/kses.php and look at the multi-dem arrays. There's two of them.
The allowable HTML for comments, user description, etc. is very small. The allowable HTML for posts is much larger, though still filtered.
The filter functions are
You can utilize these functions in plugins, and as t31os advises, never trust the user, and never trust that someone couldn't log on with that user's account and enter code with malicious intent.