By putting raw HTML in an unsuspecting site’s content (e.g., by posting to a forum) a BlackHat can do all sorts of nasty stuff.
Filter text to only allow the subset of HTML you intend to support, or escape it all.
The h() function can be used to escape all html:
<%=h "<b>bold</b>" %>yields:
<b>bold<b>As you can see this will filter all html into their entities so it is diplayed as text, rather than interpreted as HTML.
category: Glossary, Stub