Comment by chriswarbo

> arrogant security hall monitors who think developers cant be trusted to use the HTML escape function properly.

Unfortunately, they're not actually wrong though :-(

Still, there are ways to enforce escaping (like preventing "stringly typed" programming) which work perfectly well with streams of bytes, and don't impose any runtime overhead (e.g. equivalent to Haskell's `newtype`)