Sure, but then somebody could submit login=<img src="http://evil.example.com/attack.js">, and you would have to catch that too.

And certainly, there are other attacks. I would recommend to escape all data that is user-supplied.