Apologies for entering into this discussion. I subscribed 2-3 days ago, so I'm missing a lot of the discussion.
I noticed that there is a lot of discussion of whether or not to use a templating engine. From the last e-mail (John Reese) I interpret that it is based on verifying and sanitizing content and probably most important, to be able to implement this in a fast & secure way.
Btw, I had an issue regarding this (yesterday). I used the hash "#" in a custom field name, so the sorting of that column broke... In my opinion (and I assume in yours too) the user should never be allowed to enter a string which contains characters that break a certain functionality. Correct?
To implement such a functianlity you don't need a templating engine... Use a good PHP Framework instead. E.g. Zend Framework
Take a look how this is tackled with the Zend_Validator component:
Just some input from my side...