diff --git a/core/includes/batch.inc b/core/includes/batch.inc
index bfd6d8e..96d22fd 100644
--- a/core/includes/batch.inc
+++ b/core/includes/batch.inc
@@ -46,6 +46,8 @@ function _batch_page(Request $request) {
     }
   }
   // Restore safe strings from previous batches.
+  // @todo Ensure we are not storing an excessively large string list in:
+  //   https://www.drupal.org/node/2295823
   if (!empty($batch['safe_strings'])) {
     SafeMarkup::setMultiple($batch['safe_strings']);
   }
@@ -485,6 +487,8 @@ function _batch_finished() {
 function _batch_shutdown() {
   if ($batch = batch_get()) {
     // Update safe strings.
+    // @todo Ensure we are not storing an excessively large string list in:
+    //   https://www.drupal.org/node/2295823
     $batch['safe_strings'] = SafeMarkup::getAll();
     \Drupal::service('batch.storage')->update($batch);
   }
diff --git a/core/includes/form.inc b/core/includes/form.inc
index 793bccf..4029a1e 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -3298,6 +3298,8 @@ function batch_process($redirect = NULL, $url = 'batch', $redirect_callback = NU
       }
 
       // Store safe strings.
+      // @todo Ensure we are not storing an excessively large string list in:
+      //   https://www.drupal.org/node/2295823
       $batch['safe_strings'] = SafeMarkup::getAll();
 
       // Store the batch.
diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php
index e1c7524..4043da3 100644
--- a/core/lib/Drupal/Component/Utility/SafeMarkup.php
+++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php
@@ -12,14 +12,38 @@
  *
  * @todo Add detailed documentation about how to use SafeMarkup and how it is
  *   handled during rendering and in the theme layer.
+ *
+ * @see sanitization
  */
 class SafeMarkup {
 
+  /**
+   * The list of safe strings.
+   *
+   * @var array
+   */
   protected static $safeStrings = array();
 
   /**
    * Adds a string to a list of strings marked as secure.
    *
+   * This method is for internal use. Do not use it to prevent escaping of
+   * markup; instead, use the appropriate
+   * @link sanitization sanitization functions @endlink or the
+   * @link theme_render theme and render systems @endlink so that the output
+   * can be themed and altered properly.
+   *
+   * This marks strings as secure for the entire page render, not just the code
+   * or element that set it. Therefore, only complete strings should be
+   * marked as safe (never partial markup). For example, you should never do:
+   * @code
+   *   SafeMarkup::set("'");
+   * @endcode
+   * or:
+   * @code
+   *   SafeMarkup::set('<script>');
+   * @endcode
+   *
    * @param string $string
    *   The content to be marked as secure.
    * @param string $strategy
@@ -122,4 +146,5 @@ public static function setMultiple(array $safe_strings) {
   public static function getAll() {
     return static::$safeStrings;
   }
+
 }
diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index 211216a..1109e11 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -366,6 +366,8 @@ public function getCache($form_build_id, &$form_state) {
           }
           // Retrieve the list of previously known safe strings and store it
           // for this request.
+          // @todo Ensure we are not storing an excessively large string list
+          //   in: https://www.drupal.org/node/2295823
           $form_state['build_info'] += array('safe_strings' => array());
           SafeMarkup::setMultiple($form_state['build_info']['safe_strings']);
           unset($form_state['build_info']['safe_strings']);
@@ -393,6 +395,8 @@ public function setCache($form_build_id, $form, $form_state) {
     // Cache form state.
 
     // Store the known list of safe strings for form re-use.
+    // @todo Ensure we are not storing an excessively large string list in:
+    //   https://www.drupal.org/node/2295823
     $form_state['build_info']['safe_strings'] = SafeMarkup::getAll();
 
     if ($data = array_diff_key($form_state, array_flip($this->getUncacheableKeys()))) {
diff --git a/core/modules/field_ui/src/Form/FieldInstanceEditForm.php b/core/modules/field_ui/src/Form/FieldInstanceEditForm.php
index 963dba7..7ac1aff 100644
--- a/core/modules/field_ui/src/Form/FieldInstanceEditForm.php
+++ b/core/modules/field_ui/src/Form/FieldInstanceEditForm.php
@@ -9,7 +9,6 @@
 
 use Drupal\Core\Entity\EntityManagerInterface;
 use Drupal\Core\Form\FormBase;
-use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\String;
 use Drupal\field\FieldInstanceConfigInterface;
 use Drupal\field_ui\FieldUI;
@@ -123,7 +122,7 @@ public function buildForm(array $form, array &$form_state, FieldInstanceConfigIn
       '#title' => $this->t('Help text'),
       '#default_value' => $this->instance->getDescription(),
       '#rows' => 5,
-      '#description' => SafeMarkup::set($this->t('Instructions to present to the user below this field on the editing form.<br />Allowed HTML tags: @tags', array('@tags' => _field_filter_xss_display_allowed_tags())) . '<br />' . $this->t('This field supports tokens.')),
+      '#description' => $this->t('Instructions to present to the user below this field on the editing form.<br />Allowed HTML tags: @tags', array('@tags' => _field_filter_xss_display_allowed_tags())) . '<br />' . $this->t('This field supports tokens.'),
       '#weight' => -10,
     );