content: HTML escaping at render boundary (String>>htmlEscaped) + 8 tests (238/238)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/content-on-sx.md

@@ -19,7 +19,7 @@ injected adapter, not core.
 
 ## Status (rolling)
 
-`bash lib/content/conformance.sh` → **230/230** (Phases 1–4 COMPLETE: blocks, doc, render, api, persist op log, CRDT merge, Ghost sync, federation)
+`bash lib/content/conformance.sh` → **238/238** (Phases 1–4 COMPLETE + extensions: HTML escaping)
 
 ## Ground rules
 
@@ -75,8 +75,20 @@ lib/content/api.sx ── (content/edit) (content/render) (content/history) ─
 - [x] federated documents (peer-authored blocks) — trust-gated stub
 - [x] tests: round-trip import/export, conflict on concurrent external edit
 
+## Extensions (post-roadmap)
+- [x] HTML escaping at the render boundary (`String>>htmlEscaped`: & < > ")
+- [ ] asSx wire string-escaping (" and \ in SX string literals)
+
 ## Progress log
 
+- 2026-06-07 — Extension: HTML escaping at the render boundary. Added
+  `String>>htmlEscaped` (recursive char walk escaping & < > ", order-safe so &
+  isn't double-escaped) and routed every `asHTML` text/attr through it — heading,
+  text, code body + language, quote, image src/alt, embed url, list items.
+  Render stays fully polymorphic in Smalltalk; escaping lives at the boundary.
+  +8 render tests (incl. `<script>` payloads, attr breakout, ampersand-once).
+  asSx wire-escaping deferred to next. Suite 238/238.
+
 - 2026-06-07 — Phase 4 `fed.sx` (**Phase 4 COMPLETE — roadmap done**):
   trust-gated federation. Peer ops carry provenance (`:author`, `:sig` stub);
   none are auto-accepted. The trust gate is a pluggable predicate (acl-on-sx