Can we make the ezhttp operator safer by default without breaking BC?

The PR #1349 uses PHPs filter_var() to strip out tags, with FILTER_SANITIZE_STRING and FILTER_FLAG_STRIP_LOW|FILTER_FLAG_NO_ENCODE_QUOTES. Unsure if this is backwards compatible in every case, or whether it may break some sites.

Input, reviews, and improvements are welcome!