Sorry, the DayPilot.Utils.Encoder.HtmlEncode() method is internal. You can use any generic HTML encoding method instead, such as HttpUtility.HtmlEncode():
There are two approaches to HTML sanitization - on input and on output. Generally, it is recommended to sanitize on output (which is what the example above does). That means the user input is stored in the database (as entered) and sanitized before display.
The report above seems to complain about the tree state content that is submitted with callbacks and postbacks. This state will include both the unsanitized Text and santized Html value and it may still complain. This seems to enforce the on-input sanitization so you would have to rebuild the logic and not allow storing raw content in the database.
Another option (a workaround) would be turn off the state synchronization using SyncTreeState=false. But that affects the behavior and you would have to rebuild the resource tree from the database on every callback/postback (and you would still lose the expanded/collapsed state).