It is unclear to me at this point exactly how we need to be approaching this topic as a whole. Currently the only example I know of Drupal\block\Tests\BlockTitleXSSTest::testXSSInTitle() which is utilizing the Drupal\block_test\Plugin\block\block\TestXSSTitleBlock class as a platform to provide XSS injection for the block labels. This is puzzling on a number of levels for me because these label type elements should be getting passed through the @Translation class, not be stand alone, and if we need sanitization wrapped around that, then we probably need some additional configuration+hook that exists within the plugin manager to specify what metadata elements get additional handling and how.
I don't have any real answers here, but would like to discuss it some. What's the general consensus on this topic?
Eclipse