At least thats how I see it. Ideally you'd use something similar to prepared statements, just for html templates.