[krapp]

Twig, at least, escapes by default. Laravel's Blade templates don't, unless that's changed recently.

But the price you pay for that of course is no longer working directly in PHP but a templating language with its own syntax (for instance, array shorthand in Twig templates [] has worked since I don't know when but only recently has PHP gotten around to supporting it) which has to be parsed, and partially compiled into PHP classes.

[kijin]

Yeah, frameworks that use raw PHP files as views at least have that as an excuse. But the cost of using a simple template engine with good caching support seems to be minimal compared to the benefit of XSS prevention. CodeIgniter, for example, can convert short tags to full PHP tags if short tags are turned off in php.ini. They might as well wrap htmlspecialchars() around every {$var} while they're at it.

Non-PHP frameworks, on the other hand, really have no excuse.

[girvo]

> but only recently has PHP gotten around to supporting it

You're talking about the `[]` short-hand for arrays, right? That was released in version 5.4, in March 2012, I wouldn't really say that's "recent", at least in my opinion.

[krapp]

It is still relatively recent, if you consider how many older PHP installs are out there. I've had to write around this on a few projects, when I found out my client's server had no idea what the array shorthand or namespaces were.

[JonoBB]

In Laravel Version 5 (due in a month or two), escaping will be on by default.

[noir_lord]

Yep, and to do none escaped you have to use {!! $foo !!} which at least makes it obvious at a glance as {{{ $foo }}} {{ $foo }} got lost easily.