In this example when a tweet is submitted it is properly encoded before being stored in the database.
OWASP's ESAPI4JS is used for performing the encoding.
However this application is still vulnerable.
No encoding is performed when the tweets from the database are displayed in the screen.
If there is a Reflected XSS or DNS Spoofing attack then it is possible for an attacker to inject data containing valid HTML tags directly in to the database.
To prove this a function has been created to inject raw data in the database, an attacker would do something similar in an actual attack.
Click this link to see the effect.