It depends on whether $data is under the user's control or not.

If it is, it's best to prevent all HTML. I usually use an HTML escaping module, like the escapeHTML function provided by CGI.

Otherwise, if a malicious user can trick a legitimate user into setting $data to some Javascript code, the malicious user can steal cookies for your domain, or any other information in the page or the form.