1) Agreed.
2) Citation? PHP is extremely popular so it has more insecure code in comparison to Ruby. Also Rails isn't above multiple security vulnerabilities per year so I don't see how Wordpress (which incidentally is an extremely old application) could be.
3) Testing is extremely popular these days. It's 2014, not 1999.
4) Agreed. PHP finally got shut of PEAR and Composer has had an unbelievable impact on PHP.
5) PHP 5 was released 10 years ago. Give it up already about procedural code.
6) Agreed.
7) Not my experience.
8) PHP has a massive community. Ergo, it has a long tail of frameworks. I seem to remember that Ruby has had more than one.
2)Within the past 6 months I had a wordpress install, which was up-to-date used in a DOS attack against someone else. PHP also does some surprising type changes that can be exploited. That plus people remembering the mysql_real_escape crap leaves people with a poor impression of PHP security.
3) It's definitely much better but still doesn't compare to the ruby or node communities. I think the biggest changes to the community will be a bigger focus on testing/TDD and facebook's HHVM
5)True. Wordpress and Joomla are extremely old applications. However Wordpress is still extremely popular, which is why I bring it up.
7) Would you mind adding what your experience has been? I'm genuinely interested.
Ruby really only has 2 main frameworks: Rails and Sinatra. Python and Node are more fractured, but there are generally a few main frameworks
Problem with HTML escaping by default - it's not all HTML escaping. Javascript strings need to be JS escaped, sometimes escaped by HTML as a second (or even first) step to complete the correct encoding needed to avoid XSS for the specific context(s) that output actually ends up in for a browser. Same for CSS, URIs, vbscript, parameters, etc.
HTML escaping is not the one and only escaping strategy that magically makes everything safe. So any automated system would need to incorporate overrides on a per variable basis.
