The difference is React actually handles escaping properly. It won't just dump out raw HTML by default, so you won't have an XSS issue.

PHP, on the other hand, requires manual escaping with htmlentities() ... It is very, very error prone.

You are comparing a framework to a language though. Escaping in PHP is usually handled by the templating component, you don't go around writing htmlentities() everywhere.

If you're dealing with decade old code that uses no framework, you certainly do. PHP is, by default, a primitive templating language...

PHP comes with a Web framework built in (that's what things like `$_GET`, `$_POST`, `htmlentities`, etc. are). It is also a templating language, that's why we need to write `<?` at the start (to open a PHP tag).