and all their scripts will be executed if the email service the customer uses doesn't have a proper protection itself. Of course most of the modern email services do this, but there are still some not too widespread ones that don't. This also relates to the customers that have their own servers and have the emails there.
Well, it's the recipient system's vulnerability mostly, but you also shouldn't send executable code there. Otherwise it would be something like distributing viruses over your clients and saying it's their fault they don't use antivirus software :) Especially since it won't be too hard to fix it, cause you already have this done for the email customization page mentioned above — all the unnecessary tags and parameters are properly sanitized, so you just have to copy the validating code from there.
2. Also I don't think it's a good idea to let anyone send whatever he wants on your behalf in general
For example, the attacker can send emails as follows:
> Due to the recent security issue some of our accounts have been compromised. > > We recommend you to change your password as soon as possible. To do this please click the following link: > >Change your password
Being sent on behalf of firstname.lastname@example.org and designed kinda like your forget password mail, it can easily mislead the customers, so they will open the attacker's phishing link and put their login and password there.
He can also send something abusive or prohibited by law.