What is the best way to mitigate a Cross Site Scripting while enabling the special characters such as javascript tags to be displayed on the web browser without actually being executed?