It is often not possible to validate input from textarea fields (or other free text inputs) in forms (as opposed to input from URL or email fields, for example).
Therefore, you have to clean this user input in your form handler.
There are basically two ways to treat this that go hand in hand:
Clean user input before actually storing it, so that you make sure you only store the kind of data you want to store.
Escape user generated input when outputting it again (in templates, snippets, email templates etc.)