What are some common pitfalls to avoid when developing a template system in PHP?

One common pitfall to avoid when developing a template system in PHP is not properly escaping user input, which can lead to security vulnerabilities like cross-site scripting (XSS) attacks. To prevent this, always use functions like htmlspecialchars() to sanitize user input before outputting it in your templates.

// Example of properly escaping user input in a PHP template
$userInput = '<script>alert("XSS attack!");</script>';
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');