pub fn escape(input: &str) -> StringExpand description
Escape a string for safe inline rendering inside Markdown.
The goal is injection safety, not escaping every punctuation mark. We:
- entity-encode HTML specials (
<,>,&) so raw HTML can never be injected into a rendered comment; - backslash-escape the Markdown characters that let attacker text break out
of inline context — code spans (
`), emphasis (*,_), links/images ([,]), tables (|), and a literal backslash; - flatten control characters (including CR/LF) that could forge new lines or block-level constructs.
Cosmetic-only characters (. - ! + # ( ) { }) are left as-is: with newlines
stripped they cannot start a block, so escaping them only produces noise.