If I understand the XSS API correctly, the only supported methods for HTML contexts are encodeForHtml (https://github.com/apache/sling-org-apache-sling-xss/blob/257e7096dad689a46d474d1f251d504ca5508db7/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L419) and encodeForHtmlAttr (https://github.com/apache/sling-org-apache-sling-xss/blob/257e7096dad689a46d474d1f251d504ca5508db7/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L427). Both always escape & with &!
What should I use if I still want to pertain certain Unicode escape characters (https://www.w3.org/International/questions/qa-escapes) like certain Emojis (e.g. ✅ should not be modified). Is there already some support for this in the XSS API or if not, does it make sense to add support there? Thanks, Konrad
