To guard against this, make sure every text field on your site uses strict content validation. The standard practice is to deny all HTML tags except a few for content markup. The code on your server which accepts text input from users should also be screening out any input that goes out of bounds – this is to prevent the common ‘buffer overflow‘ attack, where innocent text is typed in first, followed by harmful code which is intended to overflow the data space your server is using to read the text, and hopefully be executed. To prevent buffer overflows, your server code should also be checking the boundaries of all input fields.
Website security is a deep subject, but this article should at least give you a few hints to watch for the most common problems.