I wonder when you give up a user input that you want to exploit. What is going through your head and what are you hooking up with, what makes you think that the entrance has been cleaned up properly?
I have just started. So, if I test an XSS and find that it's cleaned up properly, that's when it encodes inputs like (! @ # $% ^ & * "& # 39; ()> <) with HTML entities really.