Board Thread:Code Review/@comment-24728531-20151119154617/@comment-11733175-20151230133247

isn't for event based attributes, that's what  is for, e.g. , or it's shorthand version,.

To re-iterate Dessamator's point, you should always escape user input before outputting it, or validate it if there's a set of pre-specified values is can take. is suitable for this,  is not and has never claimed to be.