You should probably acquaint yourself with CGI's escapeHTML() function. I'm guessing that you intend to accept user data, store it somewhere and then later redisplay it to a web browser without allowing the original text to do "bad things". The idea is, before sending the data as HTML to the browser, encode it for HTML and that'll take all your "bad stuff" and render it harmless.

This also raises the issue - are you storing this data somewhere? You may have similar issues that way as well - consider the common SQL insertion attack.