HTML escape substituted parameter values to avoid injection attacks.