I have some input containing HTML like <br> <b> <i> etc. I need a way to escape only the "bad" HTML that exposes my site to XSS etc.

After hours of Googeling I found the GWT which looks kinda promising.

What is the recommended way to escape bad HTML?

Edit:

Let me clear things up.

I am using a javascript text editor which outputs html. Wouldn't it be much easier if i use something like bbcode?

Google caja is a tool for making third party HTML, CSS and JavaScript safe to embed in your website.

OWASP AntiSamy is a project for just that. If you need users to be able to submit structured text, look at markdown (imho a lot better than BBCode).

Playframework 2 already offers a solution.

the @Html() function filters bad html, which is really nice.

I really love play2

You might want to just escape all html. If you want to have users be able to use basic html tags like <b> or <i> then you could just replace them with [b] and [i] (if your forum/whatever you're creating can use bbcode), then just replace all "<" and ">" with "<" and ">".