Just before the last release, the check for unfiltered_html snuck back into the code base for MU. This means that if you’re using code since then, your users can insert malicious code into your site.
Please read this forum post from Donncha for more details. You can update the wp-admin/includes/schema.php so new blogs won’t have this, and Donncha has provided a plugin to strip it off any blogs that may be using it.
It is very important that you check your codebase for this.