The text
binding in Knockout will escape the value by create a text node and populating it with the value.
The html
binding, on the other hand, would not do this type of escaping and could potentially execute code, so you would not want to use it with user entered input.