Right now, microformats2.*_to_html generate HTML with their own homegrown templates which is Very Bad and also Not Good for lots of obvious reasons, eg GHSA-4w4f-g49g-3f7j. I can fix issues individually as we find them, but really I should migrate the whole thing to something like jinja2 that escapes automatically by default. Substantial, medium sized project.

(Thanks again @janboddez!)