Recently, we noticed that a template like the following:
{template .outer}
{call .inner}
{param html}{customFunctionWithSanitizedResult()}{/param}
{/call}
{/template}
/** @param html HTML to be rendered
{template .inner}
{$html}
{/template}
doesn't do what you'd expect: the sanitized content from the function loses the "clean" bit when passed as a param, autoescaping (thus double escaping) the html.
I'm using a relatively old release of the templates lib, but I wasn't able to find anything related to this in the
code.google issues list... is this fixed in a recent release, on the docket for the future, or is the current behavior intentional for some reason?