1.2.0-alpha3: wrap ESI #markup with Markup::create to bypass XSS filter Critical bug fix from the 1.3.0-alpha2 adopter field test on portal-dev. ESI fragments produced no output at all in 1.2.0-alpha2 because the renderer pipes #markup strings through Xss::filterAdmin(), which only whitelists a fixed set of HTML tags. <esi:include> is not on that list, so the entire string was being stripped to empty before output. Same outcome for the HTML-comment fallback marker. The fix is to wrap the emitted markup in \Drupal\Core\Render\Markup, which marks a string as already-trusted output and bypasses the filter. The src URL is separately escaped via htmlspecialchars before the wrap, so marking the resulting string as safe is correct.