How can escaping be used to prevent XSS attacks?

Question

To prevent XSS attacks, output escaping has been enabled;

The above is from symfony,but I don\'t understand.

Answer 1

XSS, or Cross Site Scripting is when someone else gets their javascript to be served up by your server. If, for example, you can get random javascript to get served from google.com then you can have that javascript send you everything google knows about the person to whom it's been served.

The avoid this data that may have come from users (rather than from the server / content author) has angle-brackets and other HTML-like stuff escaped so that it won't be executed by end users.