While IPB < 1.3 *might* have been vulnerable, IPB 2.x definitely isn't as HTML files are saved with the mime-type "unknown/unknown" which prompts the user to download the file to their desktop making it totally safe.