Two points:
Remember to sanitize EVERYTHING, either when you store it (by disallowing certain characters, say in a username) or when you display it (using h(), <%=h ... %> or whatever you choose.)
I personally use a script that will disallow <script> tags, and Javascript URIs in links, etc. It uses an allow list, not a disallow list, so new exploits should be detected more easily than with a filter.
--Michael