very nice! one question about the </ encoding: https://github.com/rejectedsoftware/vibe.d/commit/e4a600f911218c49f9984734b8ba36f193e99c17 wouldn't this https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive pass normally?