Presumably, there’s no escaping / filtering because it’s concentrating on the ReST side of the service, not on the many other best-practice sides of PHP.

XML is still quite widely used, and it’s potentially a better choice than JSON when (eg) exposing APIs at the edge of your application (ie for third-parties to interact with) because it’s easier to represent complex types with it and the parsers are more mature (eg large documents can be parsed as a stream using off-the-shelf parsers). Plus, it’s arguably more human-readable than JSON.

Don’t get me wrong, JSON definitely has it’s place, but probably so does XML.