It's not really so much a question of preventing certain tags. I'm wondering whether the string entered in the field is stored in the database using a prepared statement. If not, I don't think preventing certain tags is going to make it safe!
On the other hand, this is just a text entry. Maybe injection attack doesn't work here.