Hi Sergei, XSS escaping is unfortunately not as simple as that. Templating engines are context-aware and can know whether to apply escaping for free-form text or an attribute (which can often also be validated by type), specific tag behaviors, and even whether the output is to be executed as HTML, XML, CSS, JS, etc.
One-size-fits-all escaping that doesn't take such context into account is not effective and even makes things worse by giving developers a false sense of security. Cheers, Andrey.
