@Gray Yes, I agree; was just trying to simplify (in this case leading to an over-simplification). :p
@mjsa <img src="" onerror="alert(1)"/> Just didn't want anyone to take your message literally. XSS doesn't always require script tags. I know you are saying that <,>,etc would get escaped here, but the comment itself could be misleading.
Also be careful of SQL injection and CSRF attacks. The OWASP Top Ten outlines some common vulnerabilities.
Essentially you need to substitute HTML special characters like < with their HTML entities like .
In JSP you can protect against this using JSTL tag or fn:escapeXml(). There is another answer that covers that here. In PHP you can try using the htmlspecialchars function.