[TeMPOraL]

This.

I can't comprehend the very idea of "template languages". Especially in PHP, because PHP itself is a decent template language by design. But even outside - they always evolve the same. They start as a "lightweight" way to avoid putting code into view templates, but then they slowly accrue conditionals, loops, local variables, half-assed tools for defining functions, and before you know, your "no code allowed" template language becomes a Turing-complete and pretty crappy replication of PHP.

And all of that is orthogonal to the main insanity of this whole era - stitching HTML from strings. HTML is a structured tree format, and should be built out as a tree. Gluing strings together is the source of oh so many errors and security vulnerabilities...

Personally, I liked the CL-WHO approach - http://weitz.de/cl-who/.

[pasta]

And after you replicated PHP you come to the conclusion the templating language is as slow as hell. So you think: maybe we would need a compiler so we can cache the templates.

The question ofcourse is: why would people rather use:

  {for item in list}<li>{item.name}</li>{end for}

instead of:

  <?php foreach($list as $item) { echo '<li>' . $item['name'] . '</li>'; } ?>

And I think this goes deep. People are looking for more human ways to express themselves. And PHP is not a very beautiful language. So maybe my first example looks more 'human' than the PHP example.

[TeMPOraL]

Note than in PHP you can also rewrite it as:

  <?php foreach($list as $item) { ?>
      <li><?= $item['name'] ?></li>
  <?php } ?>

Or with shortened PHP tags and alternative control structure syntax:

  <? foreach($list as $item): ?>
      <li><?= $item['name'] ?></li>
  <? endforeach; ?>

Which at this point just differs in delimiters (<? and ?> instead of { and }) from the template language.

I don't have an opinion on this "more human way" to express oneself, but it seems that it would connect this case with the reason people seem to prefer curly braces to parenthesis in code too.

[Nullabillity]

And then, to avoid XSS, you'd need to replace that by:

    <?php foreach($list as $item) { ?>
        <li><?= htmlentities($item['name']) ?>
    <?php } ?>

Which is, IMO, the main problem with using PHP (or any other from of plain string concatenation) as a templating language. Escaping everything (and security in general) should be the default, not something that you have to opt into at every turn.

[TeMPOraL]

True, though as you note, this is essentially true of any form of plain string concatenation. Dedicated templating languages tend to fail at this too.

Escaping-as-default helps, but people sometimes forget escaping is a function of output context. For example,

  <script>
    frobnicate("{bar}");
  </script>

is a potential vulnerability if the default escaping mechanism for {bar} is one meant for HTML.

[gabordemooij]

you can actually 100% separate HTML from server (or client) side logic if you wish to:

http://stampte.com/

[braveo]

I've never understood why people use templating engines in PHP. I've been an on again off again user of PHP for atleast 7 years now, and I've never understood it for exactly the reasons you outlined.