[stringtemplate-interest] Cross-site scripting countermeasures

[Florian Weimer]

I've been trying to figure out, based on the documentation, how you
ensure proper output encoding (in particular HTML encoding, to prevent
Javascript injection attacks).

Has this been a consideration in StringTemplate's design (and the
existing StringTemplate deployments just happen to be broken in similar
ways), or is this out of the scope of StringTemplate?