I got to say that I consider this a kinda risky chance. While data.errorThrown may right now not echo back user controlled input this has still the potential to do bad things in the future… 🙈

Can we do that at

The file name is already escaped there, it is also escaped here.
The problem is, that the actual translation contains the ', and when using that string here as a parameter in the translation, it is html encoded and displayes as &#...;. So not sure how this could be fixed on the other place, if this place breaks it.

Simply unescape

Aha… Gotcha now… Let me think…

unescape what? the unescape option only affects parameters, but the parameter is not the problem. Also the value in data.errorThrown here is not a problem, it's still what we would display in the UI. It's the t() method here, which takes the translated string as an argument and thereby s/'/&#..; the first translation. TO avoid this I removed escaping from all parameters and only escaped the file name, since the string here is only translator controlled, not user controlled, we can and have to trust it anyway....

Ok. You're right. This is also properly escaped all since we don't use showHTML. (so even when passing HTML strings this shouldn't be rendered as HTML anyways)