diff --git a/core/lib/Drupal/Core/StringTranslation/StringTranslationTrait.php b/core/lib/Drupal/Core/StringTranslation/StringTranslationTrait.php
index 1d7592b..fe7befc 100644
--- a/core/lib/Drupal/Core/StringTranslation/StringTranslationTrait.php
+++ b/core/lib/Drupal/Core/StringTranslation/StringTranslationTrait.php
@@ -37,6 +37,10 @@
    * Translates a string to the current language or to a given language.
    *
    * See the t() documentation for details.
+   *
+   * Never call $this->t($user_text) where $user_text is text that a user
+   * entered; doing so can lead to cross-site scripting and other security
+   * problems.
    */
   protected function t($string, array $args = array(), array $options = array()) {
     return $this->getStringTranslation()->translate($string, $args, $options);
diff --git a/core/lib/Drupal/Core/StringTranslation/TranslationInterface.php b/core/lib/Drupal/Core/StringTranslation/TranslationInterface.php
index 7595029..c3e2f68 100644
--- a/core/lib/Drupal/Core/StringTranslation/TranslationInterface.php
+++ b/core/lib/Drupal/Core/StringTranslation/TranslationInterface.php
@@ -17,6 +17,10 @@
   /**
    * Translates a string to the current language or to a given language.
    *
+   * Never call translate($user_text) where $user_text is text that a user
+   * entered; doing so can lead to cross-site scripting and other security
+   * problems.
+   *
    * @param string $string
    *   A string containing the English string to translate.
    * @param array $args
diff --git a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php
index c653dad..87ff63e 100644
--- a/core/lib/Drupal/Core/StringTranslation/TranslationManager.php
+++ b/core/lib/Drupal/Core/StringTranslation/TranslationManager.php
@@ -142,6 +142,9 @@ public function getStringTranslation($langcode, $string, $context) {
   public function translate($string, array $args = array(), array $options = array()) {
     $string = $this->doTranslate($string, $options);
     if (empty($args)) {
+      // This is assumed to be safe because translate should only be called
+      // with strings defined in code.
+      // @see \Drupal\Core\StringTranslation\TranslationInterface::translate()
       return SafeMarkup::set($string);
     }
     else {