> I'm conflicted with this one. For you php "More than 90% of output data - is data from DB and must be HTML-encoded." > I have no idea how you came with this, even with applications or websites I'm working on not using a template engine this is far from the truth. > especially now that more ans more web application are consuming json API, the backend often produce mostly json & xml.
This is from my experience and from the poll. 35% + 23% people work 'with the projects with template rendering on PHP where template engines are not used' always or quite often. And in such applications there are many constructions like <?= h($entity->property) ?>, except values with HTML or constructions like <?= json_encode() ?>, which is quite rare case. Also, HTML escaping can be used in XML templates. Of course, for JSON API this operator is useless, as well as for applications with template engine. > I don't think "json" escaping should produce an array JSON is object notation. This is unclear why I wrote <?* ['a' => 'b'], 'json' ?>, but don't get this value encoded in JSON. But you are right, if array is casted to string, this is escaping.
