Issue #3215627 by guilhermevp, varshith, rahulkhandelwal1990, ilgnerfagundes,...

Issue #3215627 by guilhermevp, varshith, rahulkhandelwal1990, ilgnerfagundes, ankithashetty, pragati_kanade, quietone, thiagorw, cilefen, mrclay, larowlan: HtmlTag doc should be clear about escaping of #value (cherry picked from commit 11996c7a)

Issue #3215627 by guilhermevp, varshith, rahulkhandelwal1990, ilgnerfagundes,...
af2a2c5a · Dave Long · b0a4cd3e · af2a2c5a
Verified Commit af2a2c5a authored 8 months ago by Dave Long
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -16,8 +16,8 @@
 * - #tag: The tag name to output.
 * - #attributes: (array, optional) HTML attributes to apply to the tag. The
 *   attributes are escaped, see \Drupal\Core\Template\Attribute.
- * - #value: (string, optional) A string containing the textual contents of
- *   the tag.
+ * - #value: (string|MarkupInterface, optional) The textual contents of the tag.
+ *   Strings will be XSS admin filtered.
 * - #noscript: (bool, optional) When set to TRUE, the markup
 *   (including any prefix or suffix) will be wrapped in a <noscript> element.
 *
@@ -29,6 +29,8 @@
 *   '#value' => $this->t('Hello World'),
 * ];
 * @endcode
+ *
+ * @see \Drupal\Component\Utility\Xss::filterAdmin().
 */
 #[RenderElement('html_tag')]
 class HtmlTag extends RenderElementBase {