Issue #3151091 by dww, rik-dev, alexpott: Replace use of whitelist/blacklist...

    // Defuse all HTML entities.

    $string = str_replace('&', '&', $string);

    // Change back only well-formed entities in our whitelist:

    // Change back only well-formed entities in our list of allowed html tags:

    // Decimal numeric entities.

    $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);

    // Hexadecimal numeric entities.

    $splitter = function ($matches) use ($html_tags, $class) {

      return $class::split($matches[1], $html_tags, $class);

    };

    // Strip any tags that are not in the whitelist.

    // Strip any tags that are not in the list of allowed html tags.

    return preg_replace_callback('%

      (

      <(?=[^a-zA-Z!/])  # a lone <

      $elem = '!--';

    }

    // When in whitelist mode, an element is disallowed when not listed.

    // Defer to the ::needsRemoval() method to decide if the element is to be

    // removed. This allows the list of tags to be treated as either a list of

    // allowed tags or a list of denied tags.

    if ($class::needsRemoval($html_tags, $elem)) {

      return '';

    }

 *   vectors while allowing a permissive list of HTML tags that are not XSS

 *   vectors. (For example, <script> and <style> are not allowed.) See

 *   \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If

 *   your markup needs any of the tags not in this whitelist, then you can

 *   implement a theme hook and/or an asset library. Alternatively, you can use

 *   the key #allowed_tags to alter which tags are filtered.

 *   your markup needs any of the tags not in this list, then you can implement

 *   a theme hook and/or an asset library. Alternatively, you can use the key

 *   #allowed_tags to alter which tags are filtered.

 * - #plain_text: Specifies that the array provides text that needs to be

 *   escaped. This value takes precedence over #markup.

 * - #allowed_tags: If #markup is supplied, this can be used to change which