Gotcha, the HTML sanitization problem. Django doesn't even attempt to solve that, which is probably a bad idea since it inevitably means people will use the various insecure libraries that are out there on the 'net. The trouble is it's /really hard/ to do right - I'd be uncomfortable shipping a sanitizer with Django because I'd worry that some weird undocumented IE parsing error would allow nasty code to slip through and result in a 0-day exploit against the entire framework.
People tend to oversimplify this down to "how to accept HTML in user input", but the problem is more general: lots of applications have two-stage rendering sequences, where data is accepted and stored as HTML, and rendered later.
In the case of web2py there is an object called XML, text passed to the view inside XML is not escaped otherwise it is. You can also do XML(text,sanitize=True) and you can specify which tags and with tag attributes should be allowed. The sanitizer that ships with web2py is the one developed by Josh Goldfoot and posted on activestate, recipe 496942.
