In order to protect against an XSS (Cross Site Scripting) attack, it is
advisable for any web page which generates dynamic content that includes
information submitted by the user to filter that information to remove any
(potentially malicious) HTML tags.
In order to accomplish this, many of the Oracle JSP demos include demoUtil.jsp,
the source for which can be found
here. It contains a method
HTMLReplace which filters the tags. For more information on the
XSS attack in general, see this CERT advisory .