[jxcl]

If a user has a bracket character in any field, it's OK to allow it, as long as you don't render it directly in any HTML. You have to make sure that when you render it you render it as `&lt;` or `&gt;`, which get displayed as `<`, or `>`, but aren't interpreted as HTML.

[trilila]

Correct. And one reason to properly format for output, rather than sanitise input is because you do not know how the string might be used. I mean you can sanitise for HTML output, but it won't cover shell command output (i.e.: when you pass the string as a parameter to a tool via --vehicle-name=). Thus input is to be stored as is, and NEVER trusted even if some input sources "sanitise" it.

[Technetium_Hat]

this mistake is what causes the incredibly common html entities in plain-text emails, as well as RSS article titles.