For extra protection, sanitize HTML on both the server AND the client. Just another layer in the onion.