How to properly insert user input into HTML mail so that it's properly escaped?

E.g. when a user enters <br> so that it’s not going to be interpreted as a line break

You can use the following technique which will allow you to produce the html markup easily while escaping any user inputs.

  1. Generate the HTML inside a variable
  2. Convert the variable to a string using AS:NodeToString() function

Example input:

  <Source test="&lt;br/&gt;"/>

Example XSLT:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="" version="1.0"
  xmlns:date="" exclude-result-prefixes="AS date">

  <xsl:template match="ROOT">
      <xsl:apply-templates select="Source"/>

  <xsl:template match="Source">
    <!-- generate the html into a variable first -->
    <xsl:variable name="body">
        <xsl:value-of select="@test"/>
        <!-- here you convert everything from a node-set to a string -->
        <xsl:value-of select="AS:NodeToString(AS:NodeSet($body))"/>