Ulf is right, script tags must be removed from all user input, but removing them is not enough unfortunately. The problem is more involved. Actually,
you should check every input of the user, which means pretty much all input fields of a form (hidden or not, I'll explain why later). For instance, let's say you have an input field like the one that follows:
<input name="username" type="text" value="" />
If the user enters the following text in the input field:
"/><div>Please call +1-650-555-1234 to confirm your password</div><p a="
and for some reason you set the value of the input field with the above value the user entered (e.g. in order to allow further editions), then the whole thing will look like
<input name="username" type="text" value="
"/><div>Please call +1-650-555-1234 to confirm your password</div><p a="" />
which is perfectly valid HTML, except that a message has been injected and makes you think that it comes from the website.
So you could say that if you include a maxsize attribute in the input field and limit it to 8 characters that would pretty much prevent users from entering long HTML strings. Well, that won't work either as it is still possible to construct a URL by hand and send the same HTML input
string directly in the address bar, thus bypassing the maxlength check. The same holds for hidden fields. Never use hidden fields for sensible data, since hidden field data is passed as parameters in the URL and can also be compromised.
There are tons of ways of injecting stuff into an HTML page. For more information and examples, either search online or check
http://www.l0t3k.org/security/docs/xss/ and
http://ha.ckers.org/xss.html.
