I've always thought this was a major security flaw. E.g. a customer could inject a script in a comment of a web order or support case etc. and if that field is on any saved search it would execute.