Because HTML escaping is more complex than it should have to be. Image parsing is also a "solved problem" (if you ignore all the parser bugs that crop up in image libraries all the time).
> I guess you could say the same about prepared statements.
Actually, prepared statements are another case of doing it right! We finally realized that safely embedding text into SQL queries is way too complex, so instead we submit prepare/parametrize the query, and transfer the values separately using a vastly simpler protocol.
Because HTML escaping is more complex than it should have to be. Image parsing is also a "solved problem" (if you ignore all the parser bugs that crop up in image libraries all the time).
> I guess you could say the same about prepared statements.
Actually, prepared statements are another case of doing it right! We finally realized that safely embedding text into SQL queries is way too complex, so instead we submit prepare/parametrize the query, and transfer the values separately using a vastly simpler protocol.