if I take the simple example:

function MyComponent({foo, title, baz, qux, bool}) {
  return html`
    <h1>${title}</h1>
    <div>${foo}</div>
    <div>${baz} ${qux}</div>
    <div>${bool}</div>
  `;
}

I have noticed that if I set foo (or whatever) as an html string like <script>window.alert('pwned')</script> the script is executed.

It would be nice if the templating library could escape this sort of value so I don't need to do it ahead (especially on environment like a nodejs server), don't you think ?