The comment form is based on one of the examples for dynamic forms.
Here is a super-brief explaination, I'm a little time challenged at the moment :)
I use an application process to insert the data into the database.
When inserting it into the database I have to unescape the comment so it will render later. I use dbms_xmlgen.convert(:new.app_comment,dbms_xmlgen.entity_decode) to do this. There may be a better way I haven't thought of. I also strip out some html elements such as script, object, embed etc to prevent malicious attacks.
If this doesn't make sense to you, time to do some reading and learning :)