If unsafe content makes it’s way through a program right to the last stage of processing before outputting a page, or if it produces insecure content from other sources, I’d consider that program to be seriously broken.
That’s backwards. Input isn’t unsafe. If I have a single apostrophe in my name, it shouldn’t break SQL queries. If I put an ampersand in a post title, it shouldn’t break HTML documents. If such breakage occurs, it leads to vectors for SQL injection or cross-site scripting, but that doesn’t mean the input is illegitimate. It’s at the time where the input is interpolated into something else that the problem occurs. And just like it’s the DBD’s business to properly quote values for query execution, so it is the template engine’s business to properly escape strings for insertion into output.
Makeshifts last the longest.