2. XSS injection. Any html coming back from a form will be efficiently sanitized just once on arrival. Unsanitized strings will be sanitized before being displayed.
I suspect this is accomplished through safe vs. unsafe types. Imagine the only function from `unsafe___` to `safe___` is the escape function, and all functions giving text back in responses is require to be of type `safe___`.
