I think that filtering your output depends more on your application. If you're writing code to collect some data from users then it's not a big deal. But if you're writing a guestbook you may want to filter input for stuff like malacious javascript.

It's a shame we have to do this too.

Slightly off topic, but still important to the security question.