I suggest we start with really cautious attitude here, and then in longer run remove restrictions when we are sure they are safe.
So for the start I would suggest:
In forum case - it is just a few tags that are allowed (like <i>,<b>, but not <img> and certainly <script>). All <,>, and better also ',",; which are not part of explicitely allowed tags should be changed to <,>, etc. <img> tag should not be allowed because it contains parameters which can be manipulated. There is nothing attacker can do with simple <i>.
In search case it is simpler, because you should not allow any tags there at all and should replace all of these.
Of course UTF-8 variations of the symbols should be analyzed and characters like 000060 should be converted to 60 before stripping.
Speaking about potential implementation, a separate filter should be created and used in corresponding web.xml analyzing all POST and GET parameters supplied by user. The question is whether we can create a generic filter for all components or there should different ones because of different needs of different modules.