CERT has issued a Report warning internet uses of malicious HTML.
They also posted a Solution Here
A web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user.
When a victim with scripts enabled in their browser reads this
message, the malicious code may be executed unexpectedly. Scripting
tags that can be embedded in this way include <SCRIPT>,
<OBJECT>, <APPLET>, and <EMBED>.
In addition to scripting tags, other HTML tags such as the
<FORM> tag have the potential to be abused by an attacker.