Convert some phutil_escape_html() to hsprintf()

Summary: Found by `sgrep_php -e '"...".phutil_escape_html(...)'`.

Test Plan:
/
/D1
/uiexample/
/countdown/1/
/herald/transcript/1/all/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4869

src/aphront/configuration/AphrontDefaultApplicationConfiguration.php

@@ -182,10 +182,9 @@ class AphrontDefaultApplicationConfiguration
         return $login_controller->processRequest();
       }
 
-      $content =
+      $content = hsprintf(
-        '<div class="aphront-policy-exception">'.
+        '<div class="aphront-policy-exception">%s</div>',
-          phutil_escape_html($ex->getMessage()).
+        $ex->getMessage());
-        '</div>';
 
       $dialog = new AphrontDialogView();
       $dialog

src/applications/auth/controller/PhabricatorLoginValidateController.php

@@ -43,9 +43,9 @@ final class PhabricatorLoginValidateController
 
       $list = array();
       foreach ($failures as $failure) {
-        $list[] = '<li>'.phutil_escape_html($failure).'</li>';
+        $list[] = phutil_tag('li', array(), $failure);
       }
-      $list = '<ul>'.implode("\n", $list).'</ul>';
+      $list = phutil_tag('ul', array(), $list);
 
       $view = new AphrontRequestFailureView();
       $view->setHeader(pht('Login Failed'));

src/applications/auth/controller/PhabricatorMustVerifyEmailController.php

@@ -45,7 +45,7 @@ final class PhabricatorMustVerifyEmailController
       '<p>'.
       pht('You must verify your email address to login. You should have a new '.
       'email message from Phabricator with verification instructions in your '.
-      'inbox (<strong>%s</strong>).', phutil_escape_html($email_address)).
+      'inbox (%s).', phutil_tag('strong', array(), $email_address)).
       '</p>');
     $error_view->appendChild(
       '<p>'.

src/applications/auth/controller/PhabricatorOAuthLoginController.php

@@ -69,14 +69,16 @@ final class PhabricatorOAuthLoginController
           $dialog = new AphrontDialogView();
           $dialog->setUser($current_user);
           $dialog->setTitle(pht('Already Linked to Another Account'));
-          $dialog->appendChild('<p>'.
+          $dialog->appendChild(phutil_tag(
+            'p',
+            array(),
             pht(
               'The %s account you just authorized is already linked to '.
               'another Phabricator account. Before you can associate your %s '.
               'account with this Phabriactor account, you must unlink it from '.
-              'the Phabricator account it is currently linked to.</p>',
+              'the Phabricator account it is currently linked to.',
-              phutil_escape_html($provider_name),
+              $provider_name,
-              phutil_escape_html($provider_name))).'</p>';
+              $provider_name)));
           $dialog->addCancelButton($provider->getSettingsPanelURI());
 
           return id(new AphrontDialogResponse())->setDialog($dialog);
@@ -97,13 +99,15 @@ final class PhabricatorOAuthLoginController
         $dialog->setUser($current_user);
         $dialog->setTitle(
           pht('Already Linked to an Account From This Provider'));
-        $dialog->appendChild('<p>'.
+        $dialog->appendChild(phutil_tag(
+          'p',
+          array(),
           pht(
             'The account you are logged in with is already linked to a %s '.
             'account. Before you can link it to a different %s account, you '.
-            'must unlink the old account.</p>',
+            'must unlink the old account.',
-            phutil_escape_html($provider_name),
+            $provider_name,
-            phutil_escape_html($provider_name))).'</p>';
+            $provider_name)));
         $dialog->addCancelButton($provider->getSettingsPanelURI());
         return id(new AphrontDialogResponse())->setDialog($dialog);
       }
@@ -170,13 +174,15 @@ final class PhabricatorOAuthLoginController
         $dialog = new AphrontDialogView();
         $dialog->setUser($current_user);
         $dialog->setTitle(pht('Already Linked to Another Account'));
-        $dialog->appendChild('<p>'.
+        $dialog->appendChild(phutil_tag(
+          'p',
+          array(),
           pht(
             'The %s account you just authorized has an email address which '.
             'is already in use by another Phabricator account. To link the '.
             'accounts, log in to your Phabricator account and then go to '.
             'Settings.',
-            phutil_escape_html($provider_name))).'</p>';
+            $provider_name)));
 
         $user = id(new PhabricatorUser())
           ->loadOneWhere('phid = %s', $known_email->getUserPHID());
@@ -189,10 +195,12 @@ final class PhabricatorOAuthLoginController
             $providers[] = PhabricatorOAuthProvider::newProvider($provider)
               ->getProviderName();
           }
-          $dialog->appendChild(
+          $dialog->appendChild(phutil_tag(
+            'p',
+            array(),
             pht(
-              '<p>The account is associated with: %s.</p>',
+              'The account is associated with: %s.',
-              implode(', ', phutil_escape_html($providers))));
+              implode(', ', $providers))));
         }
 
         $dialog->addCancelButton('/login/');
@@ -205,13 +213,15 @@ final class PhabricatorOAuthLoginController
       $dialog = new AphrontDialogView();
       $dialog->setUser($current_user);
       $dialog->setTitle(pht('No Account Registration with %s', $provider_name));
-      $dialog->appendChild('<p>'.
+      $dialog->appendChild(phutil_tag(
+        'p',
+        array(),
         pht(
           'You can not register a new account using %s; you can only use '.
           'your %s account to log into an existing Phabricator account which '.
           'you have registered through other means.',
-          phutil_escape_html($provider_name),
+          $provider_name,
-          phutil_escape_html($provider_name))).'</p>';
+          $provider_name)));
       $dialog->addCancelButton('/login/');
 
       return id(new AphrontDialogResponse())->setDialog($dialog);

src/applications/countdown/controller/PhabricatorCountdownDeleteController.php

@@ -33,9 +33,9 @@ final class PhabricatorCountdownDeleteController
     $dialog = new AphrontDialogView();
     $dialog->setUser($request->getUser());
     $dialog->setTitle('Really delete this countdown?');
-    $dialog->appendChild(
+    $dialog->appendChild(hsprintf(
-      '<p>Are you sure you want to delete the countdown "'.
+      '<p>Are you sure you want to delete the countdown "%s"?</p>',
-      phutil_escape_html($timer->getTitle()).'"?</p>');
+      $timer->getTitle()));
     $dialog->addSubmitButton('Delete');
     $dialog->addCancelButton('/countdown/');
     $dialog->setSubmitURI($request->getPath());

src/applications/countdown/controller/PhabricatorCountdownViewController.php

@@ -32,12 +32,9 @@ final class PhabricatorCountdownViewController
       $chrome_visible ? pht('Disable Chrome') : pht('Enable Chrome'));
 
     $container = celerity_generate_unique_node_id();
-    $content =
+    $content = hsprintf(
-      '<div class="phabricator-timer" id="'.$container.'">
+      '<div class="phabricator-timer" id="%s">
-        <h1 class="phabricator-timer-header">'.
+        <h1 class="phabricator-timer-header">%s &middot; %s</h1>
-          phutil_escape_html($timer->getTitle()).' &middot; '.
-          phabricator_datetime($timer->getDatePoint(), $user).
-        '</h1>
         <div class="phabricator-timer-pane">
           <table class="phabricator-timer-table">
             <tr>
@@ -46,20 +43,19 @@ final class PhabricatorCountdownViewController
               <th>Minutes</th>
               <th>Seconds</th>
             </tr>
-            <tr>'.
+            <tr>%s%s%s%s</tr>
-              javelin_tag('td',
-                array('sigil' => 'phabricator-timer-days'), '').
-              javelin_tag('td',
-                array('sigil' => 'phabricator-timer-hours'), '').
-              javelin_tag('td',
-                array('sigil' => 'phabricator-timer-minutes'), '').
-              javelin_tag('td',
-                array('sigil' => 'phabricator-timer-seconds'), '').
-            '</tr>
           </table>
-        </div>'.
+        </div>
-        $chrome_link.
+        %s
-      '</div>';
+      </div>',
+      $container,
+      $timer->getTitle(),
+      phabricator_datetime($timer->getDatePoint(), $user),
+      javelin_tag('td', array('sigil' => 'phabricator-timer-days'), ''),
+      javelin_tag('td', array('sigil' => 'phabricator-timer-hours'), ''),
+      javelin_tag('td', array('sigil' => 'phabricator-timer-minutes'), ''),
+      javelin_tag('td', array('sigil' => 'phabricator-timer-seconds'), ''),
+      $chrome_link);
 
     Javelin::initBehavior('countdown-timer', array(
       'timestamp' => $timer->getDatepoint(),

src/applications/daemon/view/PhabricatorDaemonLogEventsView.php

@@ -63,7 +63,7 @@ final class PhabricatorDaemonLogEventsView extends AphrontView {
         phutil_escape_html($event->getLogType()),
         phabricator_date($event->getEpoch(), $this->user),
         phabricator_time($event->getEpoch(), $this->user),
-        str_replace("\n", '<br />', phutil_escape_html($message.$more)),
+        phutil_escape_html_newlines($message.$more),
       );
 
       if ($this->combinedLog) {

src/applications/differential/controller/DifferentialCommentSaveController.php

@@ -56,7 +56,7 @@ final class DifferentialCommentSaveController extends DifferentialController {
 
       $dialog->setTitle(pht('Action Has No Effect'));
       $dialog->appendChild(
-        '<p>'.phutil_escape_html($no_effect->getMessage()).'</p>');
+        phutil_tag('p', array(), $no_effect->getMessage()));
 
       if (strlen($comment) || $has_inlines) {
         $dialog->addSubmitButton(pht('Post as Comment'));

src/applications/differential/render/DifferentialChangesetHTMLRenderer.php

@@ -70,10 +70,7 @@ abstract class DifferentialChangesetHTMLRenderer
           break;
 
         case DifferentialChangeType::TYPE_MOVE_HERE:
-          $from =
+          $from = phutil_tag('strong', array(), $changeset->getOldFile());
-            "<strong>".
-              phutil_escape_html($changeset->getOldFile()).
-            "</strong>";
           switch ($file) {
             case DifferentialChangeType::FILE_TEXT:
               $message = pht('This file was moved from %s.', $from);
@@ -97,10 +94,7 @@ abstract class DifferentialChangesetHTMLRenderer
           break;
 
         case DifferentialChangeType::TYPE_COPY_HERE:
-          $from =
+          $from = phutil_tag('strong', array(), $changeset->getOldFile());
-            "<strong>".
-              phutil_escape_html($changeset->getOldFile()).
-            "</strong>";
           switch ($file) {
             case DifferentialChangeType::FILE_TEXT:
               $message = pht('This file was copied from %s.', $from);
@@ -124,10 +118,10 @@ abstract class DifferentialChangesetHTMLRenderer
           break;
 
         case DifferentialChangeType::TYPE_MOVE_AWAY:
-          $paths =
+          $paths = phutil_tag(
-            "<strong>".
+            'strong',
-              phutil_escape_html(implode(', ', $changeset->getAwayPaths())).
+            array(),
-            "</strong>";
+            implode(', ', $changeset->getAwayPaths()));
           switch ($file) {
             case DifferentialChangeType::FILE_TEXT:
               $message = pht('This file was moved to %s.', $paths);
@@ -151,10 +145,10 @@ abstract class DifferentialChangesetHTMLRenderer
           break;
 
         case DifferentialChangeType::TYPE_COPY_AWAY:
-          $paths =
+          $paths = phutil_tag(
-            "<strong>".
+            'strong',
-              phutil_escape_html(implode(', ', $changeset->getAwayPaths())).
+            array(),
-            "</strong>";
+            implode(', ', $changeset->getAwayPaths()));
           switch ($file) {
             case DifferentialChangeType::FILE_TEXT:
               $message = pht('This file was copied to %s.', $paths);
@@ -178,10 +172,10 @@ abstract class DifferentialChangesetHTMLRenderer
           break;
 
         case DifferentialChangeType::TYPE_MULTICOPY:
-          $paths =
+          $paths = phutil_tag(
-            "<strong>".
+            'strong',
-              phutil_escape_html(implode(', ', $changeset->getAwayPaths())).
+            array(),
-            "</strong>";
+            implode(', ', $changeset->getAwayPaths()));
           switch ($file) {
             case DifferentialChangeType::FILE_TEXT:
               $message = pht(
@@ -262,23 +256,26 @@ abstract class DifferentialChangesetHTMLRenderer
       $nval = idx($new, $key);
       if ($oval !== $nval) {
         if ($oval === null) {
-          $oval = '<em>null</em>';
+          $oval = phutil_tag('em', array(), 'null');
         } else {
-          $oval = nl2br(phutil_escape_html($oval));
+          $oval = phutil_escape_html_newlines($oval);
         }
 
         if ($nval === null) {
-          $nval = '<em>null</em>';
+          $nval = phutil_tag('em', array(), 'null');
         } else {
-          $nval = nl2br(phutil_escape_html($nval));
+          $nval = phutil_escape_html_newlines($nval);
         }
 
-        $rows[] =
+        $rows[] = hsprintf(
           '<tr>'.
-            '<th>'.phutil_escape_html($key).'</th>'.
+            '<th>%s</th>'.
-            '<td class="oval">'.$oval.'</td>'.
+            '<td class="oval">%s</td>'.
-            '<td class="nval">'.$nval.'</td>'.
+            '<td class="nval">%s</td>'.
-          '</tr>';
+          '</tr>',
+          $key,
+          $oval,
+          $nval);
       }
     }
 

src/applications/differential/view/DifferentialLocalCommitsView.php

@@ -54,17 +54,17 @@ final class DifferentialLocalCommitsView extends AphrontView {
       } else {
         $commit_hash = null;
       }
-      $row[] = '<td>'.phutil_escape_html($commit_hash).'</td>';
+      $row[] = phutil_tag('td', array(), $commit_hash);
 
       if ($has_tree) {
         $tree = idx($commit, 'tree');
         $tree = substr($tree, 0, 16);
-        $row[] = '<td>'.phutil_escape_html($tree).'</td>';
+        $row[] = phutil_tag('td', array(), $tree);
       }
 
       if ($has_local) {
         $local_rev = idx($commit, 'local', null);
-        $row[] = '<td>'.phutil_escape_html($local_rev).'</td>';
+        $row[] = phutil_tag('td', array(), $local_rev);
       }
 
       $parents = idx($commit, 'parents', array());
@@ -72,15 +72,15 @@ final class DifferentialLocalCommitsView extends AphrontView {
         if (is_array($parent)) {
           $parent = idx($parent, 'rev');
         }
-        $parents[$k] = phutil_escape_html(substr($parent, 0, 16));
+        $parents[$k] = substr($parent, 0, 16);
       }
-      $parents = implode('<br />', $parents);
+      $parents = array_interleave(phutil_tag('br'), $parents);
-      $row[] = '<td>'.$parents.'</td>';
+      $row[] = phutil_tag('td', array(), $parents);
 
       $author = nonempty(
         idx($commit, 'user'),
         idx($commit, 'author'));
-      $row[] = '<td>'.phutil_escape_html($author).'</td>';
+      $row[] = phutil_tag('td', array(), $author);
 
       $message = idx($commit, 'message');
 
@@ -107,9 +107,9 @@ final class DifferentialLocalCommitsView extends AphrontView {
       if ($date) {
         $date = phabricator_datetime($date, $user);
       }
-      $row[] = '<td>'.$date.'</td>';
+      $row[] = phutil_tag('td', array(), $date);
 
-      $rows[] = '<tr class="'.$class.'">'.implode('', $row).'</tr>';
+      $rows[] = phutil_tag('tr', array('class' => $class), $row);
     }
 
 

src/applications/differential/view/DifferentialRevisionUpdateHistoryView.php

@@ -119,24 +119,22 @@ final class DifferentialRevisionUpdateHistoryView extends AphrontView {
       }
 
       if (++$idx % 2) {
-        $class = ' class="alt"';
+        $class = 'alt';
       } else {
         $class = null;
       }
 
+      $lint_attrs = array('class' => 'revhistory-star');
+      $unit_attrs = array('class' => 'revhistory-star');
       if ($diff) {
         $lint = self::renderDiffLintStar($row['obj']);
         $unit = self::renderDiffUnitStar($row['obj']);
-        $lint_message = self::getDiffLintMessage($diff);
+        $lint_attrs['title'] = self::getDiffLintMessage($diff);
-        $unit_message = self::getDiffUnitMessage($diff);
+        $unit_attrs['title'] = self::getDiffUnitMessage($diff);
-        $lint_title = ' title="'.phutil_escape_html($lint_message).'"';
-        $unit_title = ' title="'.phutil_escape_html($unit_message).'"';
         $base = $this->renderBaseRevision($diff);
       } else {
         $lint = null;
         $unit = null;
-        $lint_title = null;
-        $unit_title = null;
         $base = null;
       }
 
@@ -149,18 +147,20 @@ final class DifferentialRevisionUpdateHistoryView extends AphrontView {
         'a',
         array('href' => '/differential/diff/'.$id.'/'),
         $id);
-      $rows[] =
+      $rows[] = phutil_tag(
-        '<tr'.$class.'>'.
+        'tr',
-          '<td class="revhistory-name">'.phutil_escape_html($name).'</td>'.
+        array('class' => $class),
-          '<td class="revhistory-id">'.$id_link.'</td>'.
+        array(
-          '<td class="revhistory-base">'.phutil_escape_html($base).'</td>'.
+          phutil_tag('td', array('class' => 'revhistory-name'), $name),
-          '<td class="revhistory-desc">'.phutil_escape_html($desc).'</td>'.
+          phutil_tag('td', array('class' => 'revhistory-id'), $id_link),
-          '<td class="revhistory-age">'.$age.'</td>'.
+          phutil_tag('td', array('class' => 'revhistory-base'), $base),
-          '<td class="revhistory-star"'.$lint_title.'>'.$lint.'</td>'.
+          phutil_tag('td', array('class' => 'revhistory-desc'), $desc),
-          '<td class="revhistory-star"'.$unit_title.'>'.$unit.'</td>'.
+          phutil_tag('td', array('class' => 'revhistory-age'), $age),
-          '<td class="revhistory-old'.$old_class.'">'.$old.'</td>'.
+          phutil_tag('td', $lint_attrs, $lint),
-          '<td class="revhistory-new'.$new_class.'">'.$new.'</td>'.
+          phutil_tag('td', $unit_attrs, $unit),
-        '</tr>';
+          phutil_tag('td', array('class' => 'revhistory-old'.$old_class), $old),
+          phutil_tag('td', array('class' => 'revhistory-new'.$new_class), $new),
+        ));
     }
 
     Javelin::initBehavior(

src/applications/diviner/controller/DivinerListController.php

@@ -41,11 +41,13 @@ final class DivinerListController extends PhabricatorController {
         ),
         $name);
 
-      $out[] =
+      $out[] = hsprintf(
         '<div class="aphront-directory-item">'.
-          '<h1>'.$link.'</h1>'.
+          '<h1>%s</h1>'.
-          '<p>'.phutil_escape_html($flavor).'</p>'.
+          '<p>%s</p>'.
-        '</div>';
+        '</div>',
+        $link,
+        $flavor);
     }
 
     $out =

src/applications/feed/story/PhabricatorFeedStory.php

@@ -243,15 +243,14 @@ abstract class PhabricatorFeedStory implements PhabricatorPolicyInterface {
   }
 
   final protected function renderString($str) {
-    return '<strong>'.phutil_escape_html($str).'</strong>';
+    return phutil_tag('strong', array(), $str);
   }
 
   final protected function renderSummary($text, $len = 128) {
     if ($len) {
       $text = phutil_utf8_shorten($text, $len);
     }
-    $text = phutil_escape_html($text);
+    $text = phutil_escape_html_newlines($text);
-    $text = str_replace("\n", '<br />', $text);
     return $text;
   }
 

src/applications/files/controller/PhabricatorFileDeleteController.php

@@ -33,9 +33,9 @@ final class PhabricatorFileDeleteController extends PhabricatorFileController {
     $dialog = new AphrontDialogView();
     $dialog->setUser($user);
     $dialog->setTitle('Really delete file?');
-    $dialog->appendChild(
+    $dialog->appendChild(hsprintf(
-      "<p>Permanently delete '".phutil_escape_html($file->getName())."'? This ".
+      "<p>Permanently delete '%s'? This action can not be undone.</p>",
-      "action can not be undone.");
+      $file->getName()));
     $dialog->addSubmitButton('Delete');
     $dialog->addCancelButton($file->getInfoURI());
 

src/applications/help/controller/PhabricatorHelpKeyboardShortcutController.php

@@ -25,14 +25,16 @@ final class PhabricatorHelpKeyboardShortcutController
     foreach ($keys as $shortcut) {
       $keystrokes = array();
       foreach ($shortcut['keys'] as $stroke) {
-        $keystrokes[] = '<kbd>'.phutil_escape_html($stroke).'</kbd>';
+        $keystrokes[] = phutil_tag('kbd', array(), $stroke);
       }
-      $keystrokes = implode(' or ', $keystrokes);
+      $keystrokes = array_interleave(' or ', $keystrokes);
-      $rows[] =
+      $rows[] = phutil_tag(
-        '<tr>'.
+        'tr',
-          '<th>'.$keystrokes.'</th>'.
+        array(),
-          '<td>'.phutil_escape_html($shortcut['description']).'</td>'.
+        array(
-        '</tr>';
+          phutil_tag('th', array(), $keystrokes),
+          phutil_tag('td', array(), $shortcut['description']),
+        ));
     }
 
     $table =

src/applications/herald/controller/HeraldDeleteController.php

@@ -43,9 +43,9 @@ final class HeraldDeleteController extends HeraldController {
     $dialog = new AphrontDialogView();
     $dialog->setUser($request->getUser());
     $dialog->setTitle('Really delete this rule?');
-    $dialog->appendChild(
+    $dialog->appendChild(hsprintf(
-      "Are you sure you want to delete the rule ".
+      "Are you sure you want to delete the rule '<strong>%s</strong>'?",
-      "'<strong>".phutil_escape_html($rule->getName())."</strong>'?");
+      $rule->getName()));
     $dialog->addSubmitButton('Delete');
     $dialog->addCancelButton('/herald/');
     $dialog->setSubmitURI($request->getPath());

src/applications/herald/controller/HeraldTranscriptController.php

@@ -108,10 +108,7 @@ final class HeraldTranscriptController extends HeraldController {
       $value = implode(', ', $value);
     }
 
-    return
+    return hsprintf('<span class="condition-test-value">%s</span>', $value);
-      '<span class="condition-test-value">'.
-        phutil_escape_html($value).
-      '</span>';
   }
 
   private function buildSideNav() {
@@ -296,22 +293,22 @@ final class HeraldTranscriptController extends HeraldController {
           }
           break;
       }
-      $target = phutil_escape_html($target);
 
       if ($apply_xscript->getApplied()) {
-        $outcome = '<span class="outcome-success">SUCCESS</span>';
+        $outcome = hsprintf('<span class="outcome-success">SUCCESS</span>');
       } else {
-        $outcome = '<span class="outcome-failure">FAILURE</span>';
+        $outcome = hsprintf('<span class="outcome-failure">FAILURE</span>');
       }
-      $outcome .= ' '.phutil_escape_html($apply_xscript->getAppliedReason());
 
       $rows[] = array(
         phutil_escape_html($action_names[$apply_xscript->getAction()]),
-        $target,
+        phutil_escape_html($target),
-        '<strong>Taken because:</strong> '.
+        hsprintf(
-        phutil_escape_html($apply_xscript->getReason()).
+          '<strong>Taken because:</strong> %s<br />'.
-        '<br />'.
+            '<strong>Outcome:</strong> %s %s',
-        '<strong>Outcome:</strong> '.$outcome,
+          $apply_xscript->getReason(),
+          $outcome,
+          $apply_xscript->getAppliedReason()),
       );
     }
 
@@ -351,48 +348,48 @@ final class HeraldTranscriptController extends HeraldController {
       $cond_markup = array();
       foreach ($xscript->getConditionTranscriptsForRule($rule_id) as $cond) {
         if ($cond->getNote()) {
-          $note =
+          $note = hsprintf(
-            '<div class="herald-condition-note">'.
+            '<div class="herald-condition-note">%s</div>',
-              phutil_escape_html($cond->getNote()).
+            $cond->getNote());
-            '</div>';
         } else {
           $note = null;
         }
 
         if ($cond->getResult()) {
-          $result =
+          $result = hsprintf(
             '<span class="herald-outcome condition-pass">'.
               "\xE2\x9C\x93".
-            '</span>';
+            '</span>');
         } else {
-          $result =
+          $result = hsprintf(
             '<span class="herald-outcome condition-fail">'.
               "\xE2\x9C\x98".
-            '</span>';
+            '</span>');
         }
 
-        $cond_markup[] =
+        $cond_markup[] = phutil_tag(
-          '<li>'.
+          'li',
-            $result.' Condition: '.
+          array(),
-            phutil_escape_html($field_names[$cond->getFieldName()]).
+          hsprintf(
-            ' '.
+            '%s Condition: %s %s %s%s',
-            phutil_escape_html($condition_names[$cond->getCondition()]).
+            $result,
-            ' '.
+            $field_names[$cond->getFieldName()],
-            $this->renderConditionTestValue($cond, $handles).
+            $condition_names[$cond->getCondition()],
-            $note.
+            $this->renderConditionTestValue($cond, $handles),
-          '</li>';
+            $note));
       }
 
       if ($rule->getResult()) {
-        $result = '<span class="herald-outcome rule-pass">PASS</span>';
+        $result = hsprintf(
+          '<span class="herald-outcome rule-pass">PASS</span>');
         $class = 'herald-rule-pass';
       } else {
-        $result = '<span class="herald-outcome rule-fail">FAIL</span>';
+        $result = hsprintf(
+          '<span class="herald-outcome rule-fail">FAIL</span>');
         $class = 'herald-rule-fail';
       }
 
-      $cond_markup[] =
+      $cond_markup[] = hsprintf('<li>%s %s</li>', $result, $rule->getReason());
-        '<li>'.$result.' '.phutil_escape_html($rule->getReason()).'</li>';
 
 /*
       if ($rule->getResult()) {
@@ -426,16 +423,16 @@ final class HeraldTranscriptController extends HeraldController {
       }
 
       $rule_markup[] =
-        phutil_render_tag(
+        phutil_tag(
           'li',
           array(
             'class' => $class,
           ),
-          '<div class="rule-name">'.
+          hsprintf(
-            '<strong>'.phutil_escape_html($name).'</strong> '.
+            '<div class="rule-name"><strong>%s</strong> %s</div>%s',
-            phutil_escape_html($handles[$rule->getRuleOwner()]->getName()).
+            $name,
-          '</div>'.
+            $handles[$rule->getRuleOwner()]->getName(),
-          '<ul>'.implode("\n", $cond_markup).'</ul>');
+            phutil_tag('ul', array(), $cond_markup)));
     }
 
     $panel = new AphrontPanelView();

src/applications/maniphest/controller/ManiphestSavedQueryDeleteController.php

@@ -34,11 +34,9 @@ final class ManiphestSavedQueryDeleteController extends ManiphestController {
     $dialog = id(new AphrontDialogView())
       ->setUser($user)
       ->setTitle('Really delete this query?')
-      ->appendChild(
+      ->appendChild(hsprintf(
-        '<p>'.
+        '<p>Really delete the query "%s"? It will be lost forever!</p>',
-          'Really delete the query "'.phutil_escape_html($name).'"? '.
+        $name))
-          'It will be lost forever!'.
-        '</p>')
       ->addCancelButton('/maniphest/custom/')
       ->addSubmitButton('Delete');
 

src/applications/owners/controller/PhabricatorOwnersDeleteController.php

@@ -27,10 +27,10 @@ final class PhabricatorOwnersDeleteController
     $dialog = id(new AphrontDialogView())
       ->setUser($user)
       ->setTitle('Really delete this package?')
-      ->appendChild(
+      ->appendChild(hsprintf(
-        '<p>Are you sure you want to delete the "'.
+        '<p>Are you sure you want to delete the "%s" package? This operation '.
-        phutil_escape_html($package->getName()).'" package? This operation '.
+          'can not be undone.</p>',
-        'can not be undone.</p>')
+        $package->getName()))
       ->addSubmitButton('Delete')
       ->addCancelButton('/owners/package/'.$package->getID().'/')
       ->setSubmitURI($request->getRequestURI());

src/applications/owners/controller/PhabricatorOwnersDetailController.php

@@ -92,8 +92,7 @@ final class PhabricatorOwnersDetailController
           'path'     => $path->getPath(),
           'action'   => 'browse'
         ));
-      $repo_name = '<strong>'.phutil_escape_html($repo->getName()).
+      $repo_name = phutil_tag('strong', array(), $repo->getName());
-                   '</strong>';
       $path_link = phutil_tag(
         'a',
         array(

src/applications/owners/controller/PhabricatorOwnersListController.php

@@ -253,7 +253,7 @@ final class PhabricatorOwnersListController
             ));
           $pkg_paths[$key] =
             ($path->getExcluded() ? '–' : '+').' '.
-            '<strong>'.phutil_escape_html($repo->getName()).'</strong> '.
+            phutil_tag('strong', array(), $repo->getName()).
             phutil_tag(
               'a',
               array(

src/applications/people/controller/PhabricatorPeopleProfileController.php

@@ -182,36 +182,36 @@ final class PhabricatorPeopleProfileController
 
     $viewer = $this->getRequest()->getUser();
 
-    $content =
+    $content = hsprintf(
       '<div class="phabricator-profile-info-group">
         <h1 class="phabricator-profile-info-header">Basic Information</h1>
         <div class="phabricator-profile-info-pane">
           <table class="phabricator-profile-info-table">
             <tr>
               <th>PHID</th>
-              <td>'.phutil_escape_html($user->getPHID()).'</td>
+              <td>%s</td>
             </tr>
             <tr>
               <th>User Since</th>
-              <td>'.phabricator_datetime($user->getDateCreated(),
+              <td>%s</td>
-                                         $viewer).
-             '</td>
             </tr>
           </table>
         </div>
-      </div>';
+      </div>'.
-    $content .=
       '<div class="phabricator-profile-info-group">
         <h1 class="phabricator-profile-info-header">Flavor Text</h1>
         <div class="phabricator-profile-info-pane">
           <table class="phabricator-profile-info-table">
             <tr>
               <th>Blurb</th>
-              <td>'.$blurb.'</td>
+              <td>%s</td>
             </tr>
           </table>
         </div>
-      </div>';
+      </div>',
+      $user->getPHID(),
+      phabricator_datetime($user->getDateCreated(), $viewer),
+      $blurb);
 
     return $content;
   }

src/applications/phame/controller/blog/PhameBlogFeedController.php

@@ -35,20 +35,19 @@ final class PhameBlogFeedController extends PhameController {
       ->execute();
 
     $content = array();
-    $content[] = '<feed xmlns="http://www.w3.org/2005/Atom">';
+    $content[] = phutil_tag('title', array(), $blog->getName());
-    $content[] = '<title>'.phutil_escape_html($blog->getName()).'</title>';
+    $content[] = phutil_tag('id', array(), PhabricatorEnv::getProductionURI(
-    $content[] = '<id>'.phutil_escape_html(PhabricatorEnv::getProductionURI(
+      '/phame/blog/view/'.$blog->getID().'/'));
-      '/phame/blog/view/'.$blog->getID().'/')).'</id>';
 
     $updated = $blog->getDateModified();
     if ($posts) {
       $updated = max($updated, max(mpull($posts, 'getDateModified')));
     }
-    $content[] = '<updated>'.date('c', $updated).'</updated>';
+    $content[] = phutil_tag('updated', array(), date('c', $updated));
 
     $description = $blog->getDescription();
     if ($description != '') {
-      $content[] = '<subtitle>'.phutil_escape_html($description).'</subtitle>';
+      $content[] = phutil_tag('subtitle', array(), $description);
     }
 
     $engine = id(new PhabricatorMarkupEngine())->setViewer($user);
@@ -63,37 +62,39 @@ final class PhameBlogFeedController extends PhameController {
       ->loadHandles();
 
     foreach ($posts as $post) {
-      $content[] = '<entry>';
+      $content[] = hsprintf('<entry>');
-      $content[] = '<title>'.phutil_escape_html($post->getTitle()).'</title>';
+      $content[] = phutil_tag('title', array(), $post->getTitle());
-      $content[] = '<link href="'.phutil_escape_html($post->getViewURI()).'"/>';
+      $content[] = phutil_tag('link', array('href' => $post->getViewURI()));
 
-      $content[] = '<id>'.phutil_escape_html(PhabricatorEnv::getProductionURI(
+      $content[] = phutil_tag('id', array(), PhabricatorEnv::getProductionURI(
-        '/phame/post/view/'.$post->getID().'/')).'</id>';
+        '/phame/post/view/'.$post->getID().'/'));
 
-      $content[] =
+      $content[] = hsprintf(
-        '<author>'.
+        '<author><name>%s</name>%s</author>',
-        '<name>'.
+        $bloggers[$post->getBloggerPHID()]->getFullName());
-        phutil_escape_html($bloggers[$post->getBloggerPHID()]->getFullName()).
-        '</name>'.
-        '</author>';
 
-      $content[] = '<updated>'.date('c', $post->getDateModified()).'</updated>';
+      $content[] = phutil_tag(
+        'updated',
+        array(),
+        date('c', $post->getDateModified()));
 
-      $content[] =
+      $content[] = hsprintf(
         '<content type="xhtml">'.
-        '<div xmlns="http://www.w3.org/1999/xhtml">'.
+        '<div xmlns="http://www.w3.org/1999/xhtml">%s</div>'.
-        $engine->getOutput($post, PhamePost::MARKUP_FIELD_BODY).
+        '</content>',
-        '</div>'.
+        $engine->getOutput($post, PhamePost::MARKUP_FIELD_BODY));
-        '</content>';
 
-      $content[] = '</entry>';
+      $content[] = hsprintf('</entry>');
     }
 
-    $content[] = '</feed>';
+    $content = phutil_tag(
+      'feed',
+      array('xmlns' => 'http://www.w3.org/2005/Atom'),
+      $content);
 
     return id(new AphrontFileResponse())
       ->setMimeType('application/xml')
-      ->setContent(implode('', $content));
+      ->setContent($content);
   }
 
 }

src/applications/phriction/controller/PhrictionDocumentController.php

@@ -45,31 +45,16 @@ final class PhrictionDocumentController
         }
       }
       $create_uri = '/phriction/edit/?slug='.$slug;
-      $create_sentence =
-        'You can <strong>'.
-        phutil_tag(
-          'a',
-          array(
-            'href' => $create_uri,
-          ),
-          'create a new document').
-          '</strong>.';
-      $button = phutil_tag(
-        'a',
-        array(
-          'href' => $create_uri,
-          'class' => 'green button',
-        ),
-        'Create Page');
 
-      $page_content =
+      $page_content = hsprintf(
         '<div class="phriction-content">'.
           '<em>No content here!</em><br />'.
-          'No document found at <tt>'.phutil_escape_html($slug).'</tt>. '.
+          'No document found at <tt>%s</tt>. '.
-          $create_sentence.
+          'You can <strong><a href="%s">create a new document</a></strong>.'.
-        '</div>';
+        '</div>',
+        $slug,
+        $create_uri);
       $page_title = 'Page Not Found';
-      $buttons = $button;
     } else {
       $version = $request->getInt('v');
       if ($version) {

src/applications/ponder/view/PonderQuestionSummaryView.php

@@ -25,26 +25,23 @@ final class PonderQuestionSummaryView extends AphrontView {
     $authorlink = $handles[$author_phid]
       ->renderLink();
 
-    $votecount =
+    $votecount = hsprintf(
       '<div class="ponder-summary-votes">'.
-        phutil_escape_html($question->getVoteCount()).
+        '%s'.
-        '<div class="ponder-question-label">'.
+        '<div class="ponder-question-label">votes</div>'.
-          'votes'.
+      '</div>',
-        '</div>'.
+      $question->getVoteCount());
-      '</div>';
 
     $answerclass = "ponder-summary-answers";
     if ($question->getAnswercount() == 0) {
       $answerclass .= " ponder-not-answered";
     }
-    $answercount =
+    $answercount = hsprintf(
       '<div class="ponder-summary-answers">'.
-        phutil_escape_html($question->getAnswerCount()).
+        '%s'.
-        '<div class="ponder-question-label">'.
+        '<div class="ponder-question-label">answers</div>'.
-          'answers'.
+      '</div>',
-        '</div>'.
+      $question->getAnswerCount());
-      '</div>';
-
 
     $title =
       '<h2 class="ponder-question-title">'.

src/applications/project/controller/PhabricatorProjectProfileController.php

@@ -129,8 +129,7 @@ final class PhabricatorProjectProfileController
     $viewer = $this->getRequest()->getUser();
 
     $blurb = $profile->getBlurb();
-    $blurb = phutil_escape_html($blurb);
+    $blurb = phutil_escape_html_newlines($blurb);
-    $blurb = str_replace("\n", '<br />', $blurb);
 
     $phids = array($project->getAuthorPHID());
     $phids = array_unique($phids);
@@ -138,30 +137,34 @@ final class PhabricatorProjectProfileController
 
     $timestamp = phabricator_datetime($project->getDateCreated(), $viewer);
 
-    $about =
+    $about = hsprintf(
       '<div class="phabricator-profile-info-group">
         <h1 class="phabricator-profile-info-header">About</h1>
         <div class="phabricator-profile-info-pane">
           <table class="phabricator-profile-info-table">
             <tr>
               <th>Creator</th>
-              <td>'.$handles[$project->getAuthorPHID()]->renderLink().'</td>
+              <td>%s</td>
             </tr>
             <tr>
               <th>Created</th>
-              <td>'.$timestamp.'</td>
+              <td>%s</td>
             </tr>
             <tr>
               <th>PHID</th>
-              <td>'.phutil_escape_html($project->getPHID()).'</td>
+              <td>%s</td>
             </tr>
             <tr>
               <th>Blurb</th>
-              <td>'.$blurb.'</td>
+              <td>%s</td>
             </tr>
           </table>
         </div>
-      </div>';
+      </div>',
+      $handles[$project->getAuthorPHID()]->renderLink(),
+      $timestamp,
+      $project->getPHID(),
+      $blurb);
 
     return $about;
   }

src/applications/repository/controller/PhabricatorRepositoryArcanistProjectDeleteController.php

@@ -28,10 +28,10 @@ final class PhabricatorRepositoryArcanistProjectDeleteController
     $dialog
       ->setUser($request->getUser())
       ->setTitle('Really delete this arcanist project?')
-      ->appendChild(
+      ->appendChild(hsprintf(
-        '<p>Really delete the "'.phutil_escape_html($arc_project->getName()).
+        '<p>Really delete the "%s" arcanist project? '.
-        '" arcanist project? '.
+          'This operation can not be undone.</p>',
-        'This operation can not be undone.</p>')
+        $arc_project->getName()))
       ->setSubmitURI('/repository/project/delete/'.$this->id.'/')
       ->addSubmitButton('Delete Arcanist Project')
       ->addCancelButton('/repository/');

src/applications/repository/controller/PhabricatorRepositoryDeleteController.php

@@ -24,8 +24,7 @@ final class PhabricatorRepositoryDeleteController
 
     $dialog = new AphrontDialogView();
     $text_1 = pht('If you really want to delete the repository, you must run:');
-    $command = 'bin/repository delete '.
+    $command = 'bin/repository delete '.$repository->getCallsign();
-               phutil_escape_html($repository->getCallsign());
     $text_2 = pht('Repositories touch many objects and as such deletes are '.
                   'prohibitively expensive to run from the web UI.');
     $body = phutil_tag(

src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php

@@ -301,9 +301,9 @@ final class PhabricatorSettingsPanelEmailAddresses
       ->setUser($user)
       ->addHiddenInput('verify', $email_id)
       ->setTitle("Send Another Verification Email?")
-      ->appendChild(
+      ->appendChild(hsprintf(
-        '<p>Send another copy of the verification email to '.
+        '<p>Send another copy of the verification email to %s?</p>',
-        phutil_escape_html($address).'?</p>')
+        $address))
       ->addSubmitButton('Send Email')
       ->addCancelButton($uri);
 
@@ -342,9 +342,10 @@ final class PhabricatorSettingsPanelEmailAddresses
       ->setUser($user)
       ->addHiddenInput('primary', $email_id)
       ->setTitle("Change primary email address?")
-      ->appendChild(
+      ->appendChild(hsprintf(
         '<p>If you change your primary address, Phabricator will send all '.
-        'email to '.phutil_escape_html($address).'.</p>')
+          'email to %s.</p>',
+        $address))
       ->addSubmitButton('Change Primary Address')
       ->addCancelButton($uri);
 

src/applications/uiexample/controller/PhabricatorUIExampleRenderController.php

@@ -43,16 +43,14 @@ final class PhabricatorUIExampleRenderController extends PhabricatorController {
 
     require_celerity_resource('phabricator-ui-example-css');
 
-    $nav->appendChild(
+    $nav->appendChild(hsprintf(
       '<div class="phabricator-ui-example-header">'.
-        '<h1 class="phabricator-ui-example-name">'.
+        '<h1 class="phabricator-ui-example-name">%s (%s)</h1>'.
-          phutil_escape_html($example->getName()).
+        '<p class="phabricator-ui-example-description">%s</p>'.
-          ' ('.get_class($example).')'.
+      '</div>',
-        '</h1>'.
+      $example->getName(),
-        '<p class="phabricator-ui-example-description">'
+      get_class($example),
-          .$example->getDescription().
+      $example->getDescription()));
-        '</p>'.
-      '</div>');
 
     $nav->appendChild($result);
 

src/applications/uiexample/examples/PhabricatorActionListExample.php

@@ -7,7 +7,8 @@ final class PhabricatorActionListExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>PhabricatorActionListView</tt> to render object actions.';
+    return hsprintf(
+      'Use <tt>PhabricatorActionListView</tt> to render object actions.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorButtonsExample.php

@@ -7,7 +7,7 @@ final class PhabricatorButtonsExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>&lt;button&gt;</tt> to render buttons.';
+    return hsprintf('Use <tt>&lt;button&gt;</tt> to render buttons.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorErrorExample.php

@@ -7,8 +7,8 @@ final class PhabricatorErrorExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>AphrontErrorView</tt> to render errors, warnings and '.
+    return hsprintf(
-           'notices.';
+      'Use <tt>AphrontErrorView</tt> to render errors, warnings and notices.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorFormExample.php

@@ -7,7 +7,7 @@ final class PhabricatorFormExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>AphrontFormView</tt> to render forms.';
+    return hsprintf('Use <tt>AphrontFormView</tt> to render forms.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorPropertyListExample.php

@@ -7,8 +7,8 @@ final class PhabricatorPropertyListExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>PhabricatorPropertyListView</tt> to render object '.
+    return hsprintf(
-           'properties.';
+      'Use <tt>PhabricatorPropertyListView</tt> to render object properties.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorTagExample.php

@@ -7,7 +7,7 @@ final class PhabricatorTagExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>PhabricatorTagView</tt> to render various tags.';
+    return hsprintf('Use <tt>PhabricatorTagView</tt> to render various tags.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorTimelineExample.php

@@ -7,7 +7,8 @@ final class PhabricatorTimelineExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>PhabricatorTimelineView</tt> to comments and transactions.';
+    return hsprintf(
+      'Use <tt>PhabricatorTimelineView</tt> to comments and transactions.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorUIListFilterExample.php

@@ -7,8 +7,9 @@ final class PhabricatorUIListFilterExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>AphrontListFilterView</tt> to layout controls for '.
+    return hsprintf(
-           'filtering and manipulating lists of objects.';
+      'Use <tt>AphrontListFilterView</tt> to layout controls for filtering '.
+      'and manipulating lists of objects.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorUINotificationExample.php

@@ -7,7 +7,7 @@ final class PhabricatorUINotificationExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>JX.Notification</tt> to create notifications.';
+    return hsprintf('Use <tt>JX.Notification</tt> to create notifications.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorUIPagerExample.php

@@ -7,8 +7,9 @@ final class PhabricatorUIPagerExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>AphrontPagerView</tt> to create a control which allows '.
+    return hsprintf(
-           'users to paginate through large amounts of content.';
+      'Use <tt>AphrontPagerView</tt> to create a control which allows '.
+      'users to paginate through large amounts of content.');
   }
 
   public function renderExample() {

src/applications/uiexample/examples/PhabricatorUITooltipExample.php

@@ -7,7 +7,7 @@ final class PhabricatorUITooltipExample extends PhabricatorUIExample {
   }
 
   public function getDescription() {
-    return 'Use <tt>JX.Tooltip</tt> to create tooltips.';
+    return hsprintf('Use <tt>JX.Tooltip</tt> to create tooltips.');
   }
 
   public function renderExample() {

src/infrastructure/diff/view/PhabricatorInlineSummaryView.php

@@ -39,12 +39,7 @@ final class PhabricatorInlineSummaryView extends AphrontView {
         }
       }
 
-      $rows[] =
+      $rows[] = hsprintf('<tr><th colspan="3">%s</th></tr>', $group);
-        '<tr>'.
-          '<th colspan="3">'.
-            phutil_escape_html($group).
-          '</th>'.
-        '</tr>';
 
       foreach ($items as $item) {
 
@@ -88,10 +83,8 @@ final class PhabricatorInlineSummaryView extends AphrontView {
         $rows[] =
           '<tr>'.
             '<td class="inline-line-number">'.$lines.'</td>'.
-            ($has_where ?
+            ($has_where
-              '<td class="inline-which-diff">'.
+              ? hsprintf('<td class="inline-which-diff">%s</td>', $where)
-                phutil_escape_html($where).
-              '</td>'
               : null).
             '<td class="inline-summary-content"'.$colspan.'>'.
               '<div class="phabricator-remarkup">'.

src/view/AphrontDialogView.php

@@ -156,9 +156,7 @@ final class AphrontDialogView extends AphrontView {
     }
 
     $content =
-      '<div class="aphront-dialog-head">'.
+      hsprintf('<div class="aphront-dialog-head">%s</div>', $this->title).
-        phutil_escape_html($this->title).
-      '</div>'.
       '<div class="aphront-dialog-body">'.
         $this->renderChildren().
       '</div>'.

src/view/control/PhabricatorObjectSelectorDialog.php

@@ -136,9 +136,9 @@ final class PhabricatorObjectSelectorDialog {
     $attached_box =
       '<div class="phabricator-object-selector-current">'.
         '<div class="phabricator-object-selector-currently-attached">'.
-          '<div class="phabricator-object-selector-header">'.
+          hsprintf(
-            phutil_escape_html($this->header).
+            '<div class="phabricator-object-selector-header">%s</div>',
-          '</div>'.
+            $this->header).
           '<div id="'.$current_id.'">'.
           '</div>'.
           $instructions.

src/view/layout/PhabricatorProfileHeaderView.php

@@ -47,33 +47,29 @@ final class PhabricatorProfileHeaderView extends AphrontView {
         '');
     }
 
-    $description = phutil_escape_html($this->profileDescription);
+    $description = $this->profileDescription;
     if ($this->profileStatus != '') {
-      $description =
+      $description = hsprintf(
-        '<strong>'.phutil_escape_html($this->profileStatus).'</strong>'.
+        '<strong>%s</strong>%s',
-        ($description != '' ? ' &mdash; ' : '').
+        $this->profileStatus,
-        $description;
+        ($description != '' ? "\xE2\x80\x94".$description : ''));
     }
 
-    return
+    return hsprintf(
       '<table class="phabricator-profile-header">
         <tr>
-          <td class="profile-header-name">'.
+          <td class="profile-header-name">%s</td>
-            phutil_escape_html($this->profileName).
+          <td class="profile-header-actions" rowspan="2">%s</td>
-          '</td>
+          <td class="profile-header-picture" rowspan="2">%s</td>
-          <td class="profile-header-actions" rowspan="2">'.
-            self::renderSingleView($this->profileActions).
-          '</td>
-          <td class="profile-header-picture" rowspan="2">'.
-            $image.
-          '</td>
         </tr>
         <tr>
-          <td class="profile-header-description">'.
+          <td class="profile-header-description">%s</td>
-            $description.
-          '</td>
         </tr>
-      </table>'.
+      </table>',
+      $this->profileName,
+      phutil_safe_html(self::renderSingleView($this->profileActions)),
+      $image,
+      $description).
       $this->renderChildren();
   }
 }

src/view/page/AphrontRequestFailureView.php

@@ -16,7 +16,7 @@ final class AphrontRequestFailureView extends AphrontView {
     return
       '<div class="aphront-request-failure-view">'.
         '<div class="aphront-request-failure-head">'.
-          '<h1>'.phutil_escape_html($this->header).'</h1>'.
+          phutil_tag('h1', array(), $this->header).
         '</div>'.
         '<div class="aphront-request-failure-body">'.
           $this->renderChildren().