added conf.unescape global variable to control whether or not the injected statements should be unescaped