That's a good point, we can always filter the output externally like SQL injection checking