i'm afraid that my issue has nothing to do with serialization.
writing a script that will convert characters to entities is simple. I posted this thread to inquire about options and current industry standards. Always wise to look for options before implementing a decision that may become a future dependency.
basically, my question is to all readers here who mitigate scripting attack risk on the client side, what is your preferred method, and why?