$msg = new Message( 'foo' ); echo $msg; // escaped echo $msg->plain(); echo $msg; // not escaped
Given how hard it is to track when messages are stringified via __toString, this makes security review for XSS holes hard and should be killed. If something relies on setting the formatting type upstream from the place of outputting, that should be done in a more explicit way.