This is a tough question because this type of example is everywhere and escaping every variable throughout the entire manual gets messy. And do we know of a method that will work with 100% of all cases? Do we use filter, htmlspecialchars, or a custom way? No simple answer (that I know of).

I believe this was briefly discussed once and we decided to simply leave it, but, it's worth officially discussing and in need of a creative solution because this is a real problem.

Regardless, the security section (and tutorial) must both contain sections that talk about this topic so we may refer to them elsewhere. For example, the following is outdated:

http://php.net/manual/en/security.variables

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

<?php
if ($_POST) {
    echo '<pre>';
    echo htmlspecialchars(print_r($_POST, true));
    echo '</pre>';
}
?>
<form action="" method="post">
    Name:  <input type="text" name="personal[name]" /><br />
    Email: <input type="text" name="personal[email]" /><br />
    Beer: <br />
    <select multiple name="beer[]">
        <option value="warthog">Warthog</option>
        <option value="guinness">Guinness</option>
        <option value="stuttgarter">Stuttgarter Schwabenbr&#23932;/option>
    </select><br />
    <input type="submit" value="submit me!" />
</form>

Still open, this is a general question/consideration that affects the entire manual.

In my opinion - don't ever promote insecure code in the documentation. If you have another opinion, bring the discussion to the mailing list or phpdoc/rfc. If you know about any other holes, please report or fix them. Symptoms of this bug are fixed now so it can be closed IMHO.