Avoid raw HTML built from Rocket route parameters
Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.
#Metadata
#Why it matters
Raw HTML bypasses Rocket's escaping defaults and is a common XSS footgun when fed from path, query, or body inputs.
#Remediation
Prefer typed templates with auto-escaping, sanitize with a vetted HTML policy crate, or return plain text/JSON instead of `RawHtml`.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml.