Web server: when should I give up trying an xss on a part of a website?

I wonder when will you give up some kind of user information to exploit? What are the things that go through your head and those that make, that make you think that the entrance is properly disinfected?

I just started, so what I'm looking for when testing an XSS and determining if it's properly disinfected is, when encoding entries like (! @ # $% ^ & * "& # 39; ()> <) With HTML entities, that's Really.