[eluser]WanWizard[/eluser]
Unfortunately, Jacques1 is correct in his statements.
"Good enough" is a very subjective statement. Good enough for your personal website with 1 visitor every month (which is your mother), or good enough for a corporate application dealing with financial transactions?
We as a company have never used it (because of the reasons given in that thread), and I agree that altough I would not go so far as to call this a design flaw, encoding on output is a much better mechanism, as it renders all malicious strings useless.
It's one of the many area's where the framework is showing it's age...