How much do we trust user input? Not. At. All. That’s how much we trust user input. You just don’t know where they’ve been!
WordPress has such a plethora of functions for escaping and filtering input and output, that I’m always discovering new possibilities. One I found recently is
wp_kses, which allows you to strip out all HTML leaving only a limited set of allowed elements and attributes.