From af2a2c5a14f8aa090ffee31de40fad63c3daa536 Mon Sep 17 00:00:00 2001
From: Dave Long <dave@longwaveconsulting.com>
Date: Thu, 22 Aug 2024 22:38:27 +0100
Subject: [PATCH] Issue #3215627 by guilhermevp, varshith, rahulkhandelwal1990,
 ilgnerfagundes, ankithashetty, pragati_kanade, quietone, thiagorw, cilefen,
 mrclay, larowlan: HtmlTag doc should be clear about escaping of #value

(cherry picked from commit 11996c7a16871164d04513b30697f885524880d6)
---
 core/lib/Drupal/Core/Render/Element/HtmlTag.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index b87f3b866e9c..537b3cce99ae 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -16,8 +16,8 @@
  * - #tag: The tag name to output.
  * - #attributes: (array, optional) HTML attributes to apply to the tag. The
  *   attributes are escaped, see \Drupal\Core\Template\Attribute.
- * - #value: (string, optional) A string containing the textual contents of
- *   the tag.
+ * - #value: (string|MarkupInterface, optional) The textual contents of the tag.
+ *   Strings will be XSS admin filtered.
  * - #noscript: (bool, optional) When set to TRUE, the markup
  *   (including any prefix or suffix) will be wrapped in a <noscript> element.
  *
@@ -29,6 +29,8 @@
  *   '#value' => $this->t('Hello World'),
  * ];
  * @endcode
+ *
+ * @see \Drupal\Component\Utility\Xss::filterAdmin().
  */
 #[RenderElement('html_tag')]
 class HtmlTag extends RenderElementBase {
-- 
GitLab