diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php
index 9081fae..03bdadb 100644
--- a/core/lib/Drupal/Component/Utility/Xss.php
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -79,6 +79,8 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', '
     $splitter = function ($matches) use ($html_tags, $class) {
       return $class::split($matches[1], $html_tags, $class);
     };
+    // Calling SafeMarkup::set() is acceptable here because all known XSS
+    // vectors will have been filtered out by now.
     return SafeMarkup::set(preg_replace_callback('%
       (
       <(?=[^a-zA-Z!/])  # a lone <