No, for the HTML body you will also need to encode the &
character to prevent an attacker from potentially escaping the escape.
Check out the XSS Experimental Minimal Encoding Rules:-
HTML Body (up to HTML 4.01):
HTML Entity encode
< &
specify charset in metatag to avoid UTF7 XSS
XHTML Body:
HTML Entity encode
< & >
limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-
&
,<
,>
,"
,'
,/
You must also quote the attribute value for the escaping to be effective.