SEEKING: comments from anyone with something valuable to contribute.
ISSUE: escape() and unescape() are deprecated, HTMLEncode() is strictly a server-side implementation, and I am considering options of mitigating scripting attack risks via client-side scripting.
DETAILS: an app takes user input and embeds it into an XML tag prior to uploading it to DB. the app is required to encode <, > and ". Converting these symbols to entities is preferred, so encodeURI(), encodeURIComponent() and escape() are not my first choice, even if effective in mitigating attacks.