I said on the previous threads you created around this that a username should be validated beforehand (and I'm fairly sure a <script> element would not form a valid username), therefore you shouldn't even reach this point.
Having said that, as it should be escaping the xml, have you looked at the response returned from the server using the browser's developer tools (usually F12)?
Thanks Dave. if the c:out tag escapes XML still the script value passed will be displayed? i see in the below link they mentioned the script will be displayed but wont be executed so the user input is safe ?