People can create pages on their machines that will send a POST to your server as if it were from your own page, but with nasty stuff in it. It is always very dangerous to use any incoming data without checking it.
Yeah I'm stripping tags and making sure the parameter is an integer.