But a lack of string types (or tagged strings) results in injection vulnerabilities: OS, SQL, XSS (JS, CSS, HTML), XML, URI, query string,.

How should template autoescaping be implemented [in Zig without string types or type-tagged strings]?

E.g. Jinja2 implements autoescaping with MarkupSafe; strings wrapped in a Markup() type will not be autoescaped because they already have an .__html__() method.

MarkupSafe: https://pypi.org/project/MarkupSafe/

Some time ago, I started to create a project called "strypes" to teach or handle typed strings and escaping correctly.

"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" https://cwe.mitre.org/data/definitions/74.html