I'm learning to code PHP modules.
I've seem some codes using return theme('template.tpl.php', array('param' => $param)). Is this construction safe from XSS? Or whatever a pass to the theme function must be properly sanitized beforehand?
I'm asking this because some functions, eg watchdog, when used with parametrization, automatically encode input. Does this happen with the mentioned code above?