New: escape HTTP header value for 'message' (but assume 'code', 'type' and 'at' are safe)