I was testing some code and realized that we are vulnerable to XSS attacks if we display user fields using inlining. We can easily avoid this by usings the #strings utility. However, would it make sense to have the th:inline="text" be escaped and create another inline method th:inline="utext" for when you want inlining to be unescaped? I think this would be helpful to keep people from accidentally exposing XSS vulnerabilities.
Re: Should th:inline="text" expressions be escaped
If this is something that won't be fixed, could the docs be clarified? The docs suggest that text inlining would be a replacement for th:text. When I read that, I interpret it to mean that text inlining will act like th:text and escape text. I think it would be best to let developers know that by using inlining they're being exposed to XSS vulnerabilities.