If that
string is sent to any page, it will execute upon display.
Again, never trust any text entered by a client. As Eric pointed out,
you should always escape any customer-entered text that you will display. It protects against accidentally breaking your page because someone entered script or "</html>" for their data, or against malicious attacks.
The easiest way to accomplish this, assuming JSP 2.0, it to use the <c:out> tag (which escapes its output, by default), or the JSTL 1.1 fn:escapeXml() function.
Prior to JSP 2.0, it's fairly easy to write a custom tag that does likewise, or use the <c:out> tag from JSTL 1.0.