[giulianob]

The problem I see is that if you aren't using a templating engine which automatically escapes things, people will make mistakes. Even then, there's times that you need to output raw HTML and perhaps end up forgetting to escape the part that was user input.

[lucian303]

Yes, even with just PHP templating, you still would need at least wrapper functions around things like

print htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

Otherwise, yeah, someone will miss one instance and that's all it takes. One attack vector.

[giulianob]

well PHP doesn't really handle it for you so you do have to call the function yourself. If you look at something like Razor for ASP.NET MVC, everytime you output a var (i.e. <span>@Model.FirstName</span>) it will automatically escape it. If you do not want to escape, then you need to call Html.Raw instead. PHP defaults to not escaping while it really should to make XSS less likely.