This gives them and easy way to exhaust the web-server of resources as part of a denial-of-service attack. By simply supplying a few nasty inputs to the server it will become unavailable to legitimate users.