Follow-up to #2297711: [meta] Fix double-escaping due to Twig autoescape
Problem/Motivation
The DX for fixing HTML escaped values from the render API is currently a pain.
We don't want to open up security holes but we don't want to also make it a pain to put #descriptions on fields with HTML tags in them for example. So the mid point between those two problems seems to be Xss::filterAdmin() on certain render array keys.
Example issue for reference: @see #2309929: HTML double-escaping in field forms
Proposed resolution
@larowlan and @chx came up with a great idea to deal with the DX and safe markup work necessary for a good chunk of what's left HTML escaped through keys in the Render API.
Proposing the following keys be run through Xss::filterAdmin() in the render API:
- #description
- #field_prefix
- #field_suffix
- #prefix
- #suffix
Remaining tasks
Decide which keys should be XSS filtered.
User interface changes
n/a
API changes
Certain keys will be automatically run through Xss::filterAdmin().