This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Certainly one should never display un-escaped output -- that's how script injection attacks work. Using, <c:out> will automatically escape HTML characters so that the output will not be interpreted as HTML.
The fact that you want to allow <pre> complicates things bit. What exactly are you needing to do with <pre>?