[fluffy]I just find it really weird that there’s no standard function for converting a text string into entity-escaped or URL-encoded as another text string. Both of those come up *all the time* in webapps, and the lack of standard functionality is probably where a lot of XSS issues come from.
