Recommendation is to output encode untrusted user input. :)
Also functionality wise, the encoding needs to be context sensitive. i.e. If user input is displayed in html context use html encoding, if it is in Javascript context use javascript encoding. Your output encode functions need to written in a way to be context-aware.
I guess as long as registered users don't abuse this functionality, you're good. :)