I propose swapping the default behavior. Any time a variable is output, it should automatically escape any HTML. If I really do want the site to render the submitted HTML, I have to explicitly tell it to.
This is actually how XSL output works. It’s a nice luxury.