"Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
ESAPI api to mitigate any XSS arising from untrusted user input.

I was evaluating this ESAPI api and the recommendations given on the wiki to
see if there are any potential flaws. Any weakness impacts a very large
number of users since many developers are using it to strengthen their web
applications throughout the world. This is my way of contributing back to
the community, but can never match the immense efforts put by Jeff and other
OWASP team members in developing this library."

Read more: http://securethoughts.com/2009/08/bypassing-owasp-esapi-xss-protection-inside-javascript/