Issue #1860594 by penyaskito, damiankloip, xjm, alexpott, sun: Ensure that randomString() always returns a character that needs to be escaped for HTML.