A good habit for Template code is escape all template vars. That way DB/User-input strings can be plain/arbitrary without risk of XSS attacks.