[Flimm]

You do get XSS protection out of the box in most templating languages, though, and PHP is also a templating language.

Take this template:

  <h1>{{ title }}</h1>

In most templating languages, for a title of "<script>alert();</script>", the result will end up being:

  <h1>&lt;script&gt;alert();&lt;/script&gt;</h1>

In PHP, which is a templating language, the equivalent seems to be:

  <h1><?php echo $title; ?></h1>

But this will print the title unescaped, which is a security vulnerability, and incorrect. In reality, the equivalent is:

  <h1><?php echo htmlspecialchars($title); ?></h1>

Now, you could say, don't use PHP as a templating language! But if you're not supposed to use PHP as a templating language, why does it behave as one? This is one of PHP's footguns to be avoided. Personally, I recommend a linter like PHPCS to catch issues like this one.

[deanc]

Templating languages are abstractions on top of other technologies. I don't see how PHP is a templating language. I could write that exact same code above in NodeJS and I'd need to use mustache to escape the output. So you can make the same mistakes in Node, Python.

Nobody writes PHP mixing HTML and PHP anymore, and if you do you should run. Shit code is not unique to PHP and I've seen more than my life's share in JS and Python codebases.

[ptx]

> I don't see how PHP is a templating language [...] Nobody writes PHP mixing HTML and PHP anymore

PHP is designed to be a template language, but it's a terrible template language, so nobody (it is claimed) uses it as it was originally designed to be used anymore.

So "use PHP" is not good advice if what you mean is "use a web framework and a separate third-party template language", which works just as well in any language and doesn't give PHP any particular advantage.

[frou_dh]

Tangential, but I've always found Mustache's tagline "logic-less templates" confusing - what they mean is that the template language doesn't have control flow. Logic is not a synonym of control flow in my mind.