Not anything, quotes for instance, are sanitized. Although it's meant to be this way by design, I still think it's a big security risk. I have contacted Wordpress and they are fixing this 'functionality' in the next version.