You should use JavaScript (or a server-side script) to properly escape any user input. Here's another JavaScript function you could try
String.prototype.escapeHTML = function () {
return(
this.replace(/>/g,'>').
replace(/</g,'<').
replace(/"/g,'"')
);
};
var codeEl = document.getElementById('test');
if (codeEl) {
codeEl.innerHTML = codeEl.innerHTML.escapeHTML();
}