I can highly recommend testing your code with the sample XSS attacks from http://ha.ckers.org/xss.html - you will find a lot of potential cross-site scripting attacks that way.

Also, avoid dumping raw text from user input into comments: all the user has to do is figure out you're doing that and preface any of the XSS exploits on the page with '-->' to close your comment early...