Classic XSS attack. You should be checking your inputs for HTML tags and removing them. If you are allowing people to post HTML tags then you should use a whitelist for allowed tags (and allowed tag attributes, so they can't do "onClick", for example) rather than trying to block ones you can think of that might cause trouble.
