It should probably say to replace <>& with their respective entities. This might well not be what browsers do, though. I received a complaint that they overescape, e.g., nbsp.
Hmm, maybe browsers escape any non-ASCII characters because they don't know what the encoding will be? That would make sense, although it's horribly annoying if you use many non-ASCII chars.
(Note that HTML over-escapes nbsp explicitly: <http://www.whatwg.org/html/#escapingString>)