When an the Filtered HTML input format is configured as described on the project page it also contains the HTML corrector that runs after the embedfilter.

When the following content is posted (alert is merely an example):

<script>alert(0)

embedfilter won't react because there's no SRC to check, and no closing tag. Unfortunately, the HTML corrector _will_ add this closing tag later, and the code after the script openingtag is executed.

It would be best to remove and empty <script> to prevent this.