[lucian303]

Yes, even with just PHP templating, you still would need at least wrapper functions around things like

print htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

Otherwise, yeah, someone will miss one instance and that's all it takes. One attack vector.

[giulianob]

well PHP doesn't really handle it for you so you do have to call the function yourself. If you look at something like Razor for ASP.NET MVC, everytime you output a var (i.e. <span>@Model.FirstName</span>) it will automatically escape it. If you do not want to escape, then you need to call Html.Raw instead. PHP defaults to not escaping while it really should to make XSS less likely.