https://marco.org/2008/12/18/karmcity-i-propose-swapping-the-default
I propose swapping the default behavior. Any time a variable is output, it should automatically escape any HTML. If I really do want the site to render the submitted HTML, I have to explicitly tell it to.
This is actually how XSL output works. It’s a nice luxury.