[krapp]

I find it odd that a language whose entire purpose is mixing code in with html doesn't come with the ability to automatically escape any echoed string by default. If you're not using something like Twig you have to wrap each variable in htmlspecialchars or something.

The argument that 'PHP is a framework' may be valid, but as a framework, raw PHP kind of sucks.

[goykasi]

PHP is simply a scripting language. It has numerous other uses besides just "mixing code in with html"; it wouldn't make sense to have something like enabled by default. For example, all console scripts would need to disable it.

[krapp]

Yes, it's a general purpose language and can be used for many different things, but as its name once indicated, PHP's primary use case is preprocessing hypertext. I think it would make sense since that's what almost all the PHP in the wild is involved with. Although i'm sure escaping could also be disabled by default when running from the command line.