This kind of thinking is how your users end up getting emails from your buggy service like "Hello Østein & friends, ..." and your JSON API consumers encounter the same silly output.
Don't escape input. Escape based on output. Escaping doesn't mean anything until you've also specified an output format. It's not always HTML.
You are grossly misrepresenting my post, I have said nothing about whether the escaping should be applied to input or output, please edit or delete your comment.
Don't escape input. Escape based on output. Escaping doesn't mean anything until you've also specified an output format. It's not always HTML.