@jimp
One other reaction to add. I do not know which security measures / precautions Netgate makes with packages, e.g. with which authorization level they are running, however adding whatever 'external' code to your system is always a risk and surely if the involved system is a firewall.
So, but if you allow that whatever package to be installed, than you trust that package and an installed package does IMHO technically have the capability to do all kind of unwanted things with your platform.
If one of those more or less trusted packages generates fixed html code, it sounds strange to me to see that html code from one of your own packages as ^dangerous^ where the fact that the package is installed is again in my feeling is far more dangerous.
So, I do not need the htmlspecialchars() protection replacement for this case, but I do scratch my head why it is dangerous 😥