The best approach is to not "guess" what's bad - just approve only what you know is acceptable. So for example, if you only wanted to allow embedded youtube video, you would seek out patterns that identify a youtube chunk of code and and other attempts at embed you would filter out of the input.
You would want to do this server side, through whatever programming interface your board uses - php, perl, etc.
To be fairly safe you would need to create custom bbcodes and have the bbcode parser recognize and apply the correct html tags so the user can't input any html directly.
While on the topic phpbb3 doesn't even allow html out of the box, it does however allow you to create custom bbcodes . The person only has to wrap the youtube bbcode tags around the url and the bbcode parser takes care of the rest. You can create practically any custom bbcodes for the html you want to allow. The inputed data is validated by the bbcode parser to prevent any malicious code.