The error thrown by API route handlers.
Because the error message can come from the OpenID Connect
error query parameter we
do some basic escaping which makes sure the default error handler is safe from XSS.
If you write your own error handler, you should not render the error message without using a templating engine that will properly escape it for other HTML contexts first.