very true like why not replace these six characters <>"'&; (or the entire non-ascii character base) with their html counterparts?
it prevents ANY type of XSS (unless some anti-FBI hacker shows up)
also hacker plan is so easy to get, it literally shows up in the source code!