In order to protect against an XSS (Cross Site Scripting) attack, it is advisable for any web page which generates dynamic content that includes information submitted by the user to filter that information to remove any (potentially malicious) HTML tags.

In order to accomplish this, many of the Oracle JSP demos include demoUtil.jsp, the source for which can be found here. It contains a method HTMLReplace which filters the tags. For more information on the XSS attack in general, see this CERT advisory .