As a curious noob, could u explain what is the source of the XSS vulnerability in this case? Is it simply that the site isn't being served over tls/ssl?
You need both. Sometimes the legit input is HTML such as from rich text editors. In those cases if someone types a bold <script> then the form should submit the escaped <b><script><b> but also needs to sanitise to make sure that other HTML element types are not present.
If you escape one step further you'll lose formatting or the message, so sanitisation is important too, it is reductive to say "always escape never sanitise".
I think your first problem is whitelisting HTML entities. Unless you're composing HTML-formatted email, it's usually better to use a different markup syntax like a minimal markdown or asciidoc that can safely be escaped.
I agree, although for non-technical users, the better wysiwyg editors are still HTML based, unless you have a recommendation for an in-browser wysiwyg editor that returns/exports markdown?