Replying to [comment:8 m_gol]:
If we passed it through $.escapeHTML only if it's a function then we're saved from one additional function invocation on each manip operation and the only overhead is one additional
if. Is that a lot?
Well, it's still guaranteed to do at least two passes over the input (once for custom escaping and once to fix up self-closing tags) when someone sets up preprocessing, even if they're only trying to fix our mangling of script/textarea content (#14370) or attribute values (#14464). Come to think of it, that brings up the related question of whether preprocessing should precede, follow, or replace the currently-existing
.replace( rxhtmlTag, "<$1></$2>" ).
I feel regex might not be enough in some cases and we really should make it possible to secure our manip methods.
str = str.replace( /[\\w\\W]+/, fn ) is equivalent to
str = fn( str ) for any string-returning single-parameter
fn, and therefore guaranteed to support the same use cases. This is purely a question of API surface area.