do the escaping inside `template_to_string`

packages/svelte/src/compiler/phases/3-transform/client/transform-template/to-string.js

@@ -1,6 +1,7 @@
 /**
  * @import { TemplateOperations } from "../types.js"
  */
+import { escape_html } from '../../../../../escaping.js';
 import { is_void } from '../../../../../utils.js';
 
 /**
@@ -67,7 +68,7 @@ export function template_to_string(items) {
 				const el = /** @type {Element} */ (last_current_element);
 				const [prop, value] = /** @type {string[]} */ (instruction.args);
 				el.props ??= {};
-				el.props[prop] = value;
+				el.props[prop] = escape_html(value, true);
 				break;
 			}
 		}

packages/svelte/src/compiler/phases/3-transform/client/visitors/RegularElement.js

@@ -122,14 +122,7 @@ export function RegularElement(node, context) {
 					if (value.type === 'Literal' && typeof value.value === 'string') {
 						context.state.template.push({
 							kind: 'set_prop',
-							args: [
+							args: ['is', value.value]
-								'is',
-								// if we are using the functional template mode we don't want to escape since we will
-								// create a text node from it which is already escaped
-								context.state.is_functional_template_mode
-									? value.value
-									: escape_html(value.value, true)
-							]
 						});
 						continue;
 					}
@@ -313,17 +306,7 @@ export function RegularElement(node, context) {
 					context.state.template.push({
 						kind: 'set_prop',
 						args: [attribute.name].concat(
-							is_boolean_attribute(name) && value === true
+							is_boolean_attribute(name) && value === true ? [] : [value === true ? '' : value]
-								? []
-								: [
-										value === true
-											? ''
-											: // if we are using the functional template mode we don't want to escape since we will
-												// create a text node from it which is already escaped
-												context.state.is_functional_template_mode
-												? value
-												: escape_html(value, true)
-									]
 						)
 					});
 				}