You have to sanitize your datas, especially the ones from user's side.
Example: go here:
and in any field type ' ">XSS ' (without single quote)
This result in a XSS attack.
Ok, you have to be admin to exploit it, so, not a big deal, but, use esc_attr() please ;)
See you !