This might be a bit more efficient with the same outcome:

function escapeXml(unsafe) {
    return unsafe.replace(/[<>&'"]/g, function (c) {
        switch (c) {
            case '<': return '&lt;';
            case '>': return '&gt;';
            case '&': return '&amp;';
            case '\'': return '&apos;';
            case '"': return '&quot;';
        }
    });
}

Four things:

1. replace returns the updated string, so you have to use the return value.

2. When the first argument is a string, it only replaces teh first occurrence; to replace all of them, you have to give a regular expression with the g flag.

3. Character entities end with ; (e.g., &, not &amp).

4. " is ", not '; and ' is ', not "

For example:

function encodeMe(myString) {
      mystring = myString.replace(/&/g, "&");
      mystring = myString.replace(/</g, "&lt;");
      mystring = myString.replace(/>/g, "&gt;");
      mystring = myString.replace(/"/g, "&quot;");
      mystring = myString.replace(/'/g, "&apos;");
      return myString;
}

or of course, one long chained statment:

function encodeMe(myString) {
      mystring = myString.replace(/&/g, "&")
                         .replace(/</g, "&lt;")
                         .replace(/>/g, "&gt;")
                         .replace(/"/g, "&quot;")
                         .replace(/'/g, "&apos;");
      return myString;
}

I'm also not 100% sure XML has '. HTML does, but I'm not sure XML does.

The correct answer is to double encode the text. First with JavascriptEncode and next with XmlAttributeEncode. The rationale behind this is that everything within a xml/html attribute should be XML attribute encoded. The parser of the browser will interpret this as an xml attribute and decode it that way. The browser will supply this decoded text to the javascript interpreter and it should therefore be JavaScript encoded properly to prevent a security leak.

This double encoding will not result invalid results, because the browser will also double decode this text (because two separate interpreters are involved). Here is an example of the correct encoding.

string unsafeText = "Hello <unsafe> ');alert('xss');alert('";
string javaEncoded = AntiXss.JavascriptEncode(unsafeText, false);
ENCODED_STRING = AntiXss.XmlAttributeEncode(javaEncoded);

<input type="button" onclick="alert('[ENCODED_STRING]');"
    value="Click me" />

While double encoding is the only correct way to do this, I like to note that using only JavaScript encoding will usually yield correct result. The constraint here is that the attribute's text is put between quotes.

JavaScript encoding uses the same white list (except for the space character) as HTML/XML attribute encoding. Difference between them is how unsafe characters are encoded. Javascript encodes them as \xXX and \uXXXX (such as \u01A3), while XML attribute encodes them as &#XX; and &#XXXX; (such as &#01A3;). When encoding text with JavaScript encoding, there are only two characters left that will be encoded again by the XML attribute encoder, namely the space character and the backslash character. Those two characters would only be form a problem when the attribute’s text isn’t wrapped between quotes.

Note however that only using XML attribute encoding in this scenario will NOT yield correct result.

Javascript strings are all UTF-16-encoded. You could try specifying that.

Where does the string come from? Is the string correct before parsing it?

Also, when is it being displayed? What encoding is expected there?