And for yet another solution -- if you're using CGI to get the input from the user, it has an escapeHTML function.

Also see the autoEscape function to set CGI's behavior.