Safe Mode Was Opt In

A library exposes sanitization as opt-in flags with unsafe defaults. A caller wiring the library's output into a sink that interprets the result as code (raw HTML, SQL, shell) accepts the unsafe defaults by reaching for the library's static or factory helper instead of constructing the instance and setting the flags. The flags exist in the library; the fix is to set them.