The files that comprise your team's website are on the host www in the directory:

C:\Program Files\Apache Software Foundation\Apache2.2
To defeat HTML injection attacks, we need to sanitize input. In the simplest case, that means disallowing <'s in user input. This site is a bit odd because the file htdocs\index.html is actually regenerated every time the script cgi-bin\survey.cgi is executed; i.e. every time someone submits a comment. So, modifying index.html doesn't solve anything, you have to modify cgi-bin\survey.cgi.

The easiest way to defeat HTML injection is to replace any <'s in submitted user input with ... well, with anything else! Let's say with an X. This can be done either client-side or server side. But for both, we're going to have to modify the file cgi-bin\survey.cgi.

Client-Side Validation / Sanitizing Input

Open the file cgi-bin\survey.cgi on host www with Notepad. It includes a mix of HTML and code in a language called Python. Find the HTML code with the form for submitting comments. In particular, find the code for the submit button. Replace onclick='submit()' with
onclick='
  document.forms.survey.txt.value = document.forms.survey.txt.value.replace("<","X");
  submit();'
    

Server-Side Validation / Sanitizing Input

Open the file cgi-bin\survey.cgi on host www with Notepad. It includes a mix of HTML and code in a language called Python. Even though you don't know Python, you should be able to spot the point in the Python code at which the variable comments gets its value and replace form["txt"].value with
cgi.escape(form["txt"].value);
    
which will "escape" special HTML characters like < before the Python script adds the comments to index.html.