<script type="text/javascript">alert('Xss done');</script>

How do you resolve this Xss from Stackoverflo开发者_如何学Pythonw?

The output is html encoded.

All html entities are replaced with their escaped characters, for example "<" is replaced by <.

More info on wikipedia along with a list of html characters, http://en.wikipedia.org/wiki/Character_encodings_in_HTML

Jeff actually posted his Sanitizer on RefactorMyCode.com

You can see it here. It may not be the final version they're currently using, but it will show you the basics of how it works.