if you are taking input as a CGI environment and you are woried about re-displaying code that has been input into your forms. It is true that there are some backends with scripts. However they are not being run on the server, so that will be secure. However the users viewing the script may be vulnerable. It isnt a bad idea to block out all script tags for their sake.