Normal variable output goes through HTML escaping by default. That is the default security line of the system.
Escaped characters:
<>&"'
type suffix escaping
{variable:string} is escaped
{variable:html} is inserted raw
Normal variable output goes through HTML escaping by default. That is the default security line of the system.
<>&"'{variable:string} is escaped
{variable:html} is inserted raw