"Permanent" means that the attack will be stored in the backend system. In normal XSS attacks, an attacker needs to e-mail the victim, but in a permanent XSS an attacker can just execute the attack and wait for users to see the affected page. As soon as someone visits the page, the attacker's stored payload will get executed.
XSS targets the users of the application instead of the server. Although this is a limitation, since it only allows attackers to hijack other users' sessions, the attacker might attack an administrator to gain full control over the application.
Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a whitelist. This list needs only be defined once and should be used to sanitize and validate all subsequent input.
There are a number of pre-defined, well structured whitelist libraries available for many different environments; good examples of these include the OWASP Reform and Microsoft Anti cross-site scripting libraries.