You can already accomplish this using output buffering if so desired.  I don't 
see a need to add anything else into the mix.  For example:

------------------------------------------
<?php
$outputHandler = function($data){
	return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
};

ob_start($outputHandler);

echo '<script>alert(\'This will never be executed.\')</script>';

------------------------------------------

outputs:
&lt;script&gt;alert(&#039;This will never be executed.&#039;)&lt;/script&gt;

For the comment above.

Ok, You don't see the need?

Output buffering is something completely different. Yes you can do the same with output buffering.. But it still includes the HTML that was not printed by the parser.



What about this case, do you really think output ob_start() buffering???

ob_start();
<?php echo $user->getName()?>
<b> This is ALSO cached by output buffer function.....</b>
$content = ob_get_flush();


That script... yes .. ob_start() before everything and ob_get_contents() will return the complete parsed content... but it does NOT intercept the ECHO statement, meaning if you where about to try parsing:


Meaning Output buffering functions could NEVER intercept the echo statement ( RATHER THE WHOLE THING ) . 


What if we wanted to intercept the real echo statement and not the ob_* functions..


Seriously your comment does not make sense. You are talking about ob_* functions while this is a whole another case, please don't follow this ticket.

From my point of view, keithm provides a solution that does exactly the thing you have asked for. Output buffering wasn't created for this purpose, but it can be easily used for it without breaking anything. If this is not what you wanted, maybe your description is not clear enough?

However this is a solution for a problem that doesn't exist in reality.
 1. Most of the data output by scripts should never be escaped.
    Yet your idea causes ALL data to be escaped, producing garbage.
 2. In few specific cases there are small portions of data from untrusted
    sources that should be escaped. In such cases a single call is enough.
    What you want to be introduced requires 3 lines of code (enable escaping,
    echo, disable escaping) just to make same thing a single function call
    could do.
 3. Even worse: the concept is perpendicular to echo by design,
    but not perpendicular to echo by behaviour. Hence it's a design error.

1. if you want taint mode, refer to : http://pecl.php.net/taint
2. if you want escape output: refer to http://www.php.net/manual/en/function.ob-
start.php

thanks

The commenters are right: output buffering already deals with the feature as requested, and as Laruence points out, the taint extension is available for the underlying issue if you want to go down that road.

Closing.

Ignorance, gotta love it. There is really a difference of output buffering functions and this, I do of course know of the output buffering functions, this is NOT RELATED. Read on to really see what I mean about this.



This is how people in most cases write their VIEW logic. Meaning ending and starting <?php echo ..?> every time they echo stuff.. That also means you should ESCAPE ALL data that comes to echo, else you are just not SAFE. 


index.php:


<?php
  // Web page title.
  $title = 'My website';
  // A item from the database.
  $item = array('title' => '<script>alert("Hi!")</script>');
?>

<?php ob_start() ?>
<html>
	<head>
		<title><?php echo $title?></title>
	</head>
	<body>
		<div><p><?php echo $item['title']?></p></div>
	</body>
</html>
<?php
$content = htmlspecialchars(ob_get_flush(),ENT_QUOTES,'UTF-8');
echo $content;

/*  Returns:
&lt;html&gt;
	&lt;head&gt;
		&lt;title&gt;My website&lt;/title&gt;
	&lt;/head&gt;
	&lt;body&gt;
		&lt;div&gt;&lt;p&gt;&lt;script&gt;alert(&quot;Hi!&quot;)&lt;/script&gt;&lt;/p&gt;&lt;/div&gt;
	&lt;/body&gt;
&lt;/html&gt;


FAIL?! We NEED a echo handler....
*/
?>




Obviously this won't work if people wrote their template like this (but that's up to them...):


index.php

echo "
<html>
	<head>
		<title>{$title}</title>
	</head>
	<body>
		<div><p>{$item['title']}</p></div>
	</body>
</html>
";



This is wanted behaviour (The use of htmlspecialchars wouldn't be necessary if we had a handler that intercepted the echo statement.):


<?php
  // Web page title.
  $title = 'My website';
  // A item from the database.
  $item = array('title' => '<script>alert("Hi!")</script>');
?>

<html>
	<head>
		<title><?php echo htmlspecialchars($title,ENT_QUOTES,'UTF-8')?></title>
	</head>
	<body>
		<div><p><?php echo htmlspecialchars($item['title'],ENT_QUOTES,'UTF-8')?></p></div>
	</body>
</html>
<?php

/*  Returns:
<html>
	<head>
		<title>My website</title>
	</head>
	<body>
		<div><p>&lt;script&gt;alert(&quot;Hi!&quot;)&lt;/script&gt;</p></div>
	</body>
</html>


Perfect!
*/
?>

When making general statements, first make sure that by writing "all people do" you don't mean "I do". Also please take a look at the calendar. Mine says 2012, not the end of XX century. Maybe 10 years ago it was acceptable, but it's no longer a good habit to mix business logic and presentation layer, virtually any bigger application is written in OOP (which doesn't mix well with exiting PHP mode) and the presentation layer is handled by template engines or frameworks.

As I said before: you're trying to solve a problem that doesn't really exist. If it can be observed anywhere, it's just a symptom of a different problem that lies between keyboard and chair, not in PHP.

Also it's not a good idea to call PHP devs ignorants and raging because your idea is not accepted. If you believe that it's really needed, try to convince people it is so! Insulting will not get you anywhere.

Just stating the obvious.

OOP, MVC, Templating engine, you sir have greatly missed the point of this feature request.
 
Are you talking about OOP? OOP has _nothing_ to do with this question, of course you would use OOP: classes, namespaces and traits.. But this is not the place to talk about OOP design.
 
Are you talking about MVC? Because this addition will make every currently existing MVC frameworks such as Symfony 2 and Codeigniter more secure. 


You separate controller / business logic / presentation logic, but you are now starting a discussion of using a 3rdparty library against php itself as a templating-engine. Does not really make sense at all regarding this feature request. 

You don't USE a templating framework if you implement this change, this change will make it easier then never to CREATE the fastest templating engine on the market without having to parse code to php code and then use the php code to make php safe. Note, php is a language, you can also template with it because of it's easy syntax HTML<?php echo $var?>MORE_HTML.


In Symfony 2 you have to either use 

- TWIG syntax (Templating engine)
- echo $this->escape("<script></script"); ( Symfony way .. )


Now, this didn't have to be needed if this feature request was implemented.

- echo "<script>.."; ( This is not possible at this time )

Before you blatantly ignore this bug report, please take your time to read the following posts:

- http://fabien.potencier.org/article/34/templating-engines-in-php ( Security )
- http://pkj.no/blog/2012/08/08/php-use-a-template-system-or-not


And the most important rule of XSS prevention (right now):

" Don't forget to add htmlspecialchars($var, ENT_QUOTES, 'utf-8') on every single echo statement "