The grandparent already said it: yes, you need to check and sanitize stuff.
It depends on what you are doing. You have to be more specific about your use case. There are lot of sources out there regarding these topics, but maybe I can give you some hints.
Do you think of HTML forms which are send via POST?
If yes, what type of backend are you using? If you are using, say a simple MySQL behind a PHP application, have a look into prepared statements, which help you store data in a more secure way by preventing SQL injections.
If you want to display comments, the easiest way is to handle them as plain text and escape/strip all html when reading from the backend, to prevent injection of javascript into the site.
If you want to allow styling of the comments, make sure, you just use allow specific whitelisted html tags like <b> or <i> or <strong>.
As you can see depending on your use cases there are different requirements. I would recommend starting with the easiest solution (only allow plain text) and start working from there. Also have a look what your frameworks provide, if you use any.
