Note that I see no reason to encode quote characters here. It isn't like the result is being placed into an attribute value. (:

And I probably wouldn't encode all ampersands since they are useful and rather low risk. If you are worried about the little-supported javascriptish ampersand stuff, then I'd only encode those ampersands. But I guess taking something useful away from users out of combined fear and laziness is not a shockingly rare result.

Which leaves us with a couple of simple regexes and little reason to use a module:

s/&{/&{/g;
s/</&lt;/g;
[download]