Never trust user input. Though Mendix is doing some escaping for inputs, but this only works client side.
Lucky the standard components will escape the data fore displaying.
In some cases people show text in HTML snippet widget https://appstore.home.mendix.com/link/app/56/ which does not escape..
This risks cross side scripting, you can sanitize the input data with community commons function XSSSanitize
You can use regular expression in a microflow against the corresponding filed. The expression depends on what all you can allow, if you have specific requirement of not allowing script tags only, you may use this :
Inserting code like
Mendix prevents execution of the script, but this does not mean that your are entirely safe in all conditions. A script you enter will be stored and can be sent to other systems via services for example. The other system could then execute the script.
And when you use appstore components or develop your own components, you are also not always safe.
See https://docs.mendix.com/howto/security/best-practices-security#3-avoiding-injection .