I'm looking for set of good practices to secure html form handle

In my web app the input from html forms goes to a database and then to html (like forums or comments).

I want to know how should I secure my web app? 开发者_运维知识库Which characters (html tags) should I remove from the textarea?

My web app is in Spring MVC, but rules may be more general.

If you use

<c:out value="text" />

core tag it will escape characters and they won't be interpreted as html code. It has an attribute called escapeXml which can be true or false to escape characters, but it is true by default.