Sorry, the HTML encoding didn't make it through.
HTML encoding prevents the client from interpreting any metacharacters as the actual metacharacter. For example, if you HTML encode a script like
it becomes
& lt ; script & gt ; alert ( ' xss ' ) & lt ; / script & gt ; (without the spaces). The browser would HTML decode this and display , but would not execute the resulting string.
As a good example, the DC forum web app is HTML encoding the post content, so the script tags are displayed by the client browser but not executed as scripts.
Aaron