I don't know if you want to but it might be worth having EJS escape all output just as a precaution to avoid any potential XSS issues.

The code looks safe but escaping all output would prevent any issues if some user input did accidentally sneak in. I can create a PR for it if you want to do it.

@GHSam you are talking about changing all instances of <%- to <%= correct? So <%- foo %> becomes <%= foo %>? I would merge such a PR.