[tannhaeuser]

> PHP was designed to have loops, logic, to take variables and so on and interpolate them within HTML. [...] one of the unique capabilities the language has

Totally agree, but unfortunately PHP's integration within a markup processor is quick and dirty, without consideration for context-dependent escaping and quoting etc. hence continues to give rise to a large number of HTML injection attacks.

[conatus]

This is true. I understand other languages (for example Go) have very nice features of this kind - contextual auto-escaping and so on. However a lot of other languages also have these footguns around escaping and security.