diff --git a/core/lib/Drupal/Core/Render/Renderer.php b/core/lib/Drupal/Core/Render/Renderer.php
index 8a6b87a..a91b14b 100644
--- a/core/lib/Drupal/Core/Render/Renderer.php
+++ b/core/lib/Drupal/Core/Render/Renderer.php
@@ -351,6 +351,8 @@ protected function doRender(&$elements, $is_root_call = FALSE) {
     }
 
     if (isset($elements['#markup'])) {
+      // @todo Decide how to support non-HTML in the render API in
+      //   https://www.drupal.org/node/2501313.
       $elements['#markup'] = SafeMarkup::checkAdminXss($elements['#markup']);
     }
 
diff --git a/core/modules/rest/src/Plugin/views/display/RestExport.php b/core/modules/rest/src/Plugin/views/display/RestExport.php
index b358b9c..1853ec8 100644
--- a/core/modules/rest/src/Plugin/views/display/RestExport.php
+++ b/core/modules/rest/src/Plugin/views/display/RestExport.php
@@ -288,7 +288,7 @@ public function execute() {
     // isn't actually "markup". Since there's no markup, there's no markup in
     // which to perform an XSS injection. In the case of Views preview, all that
     // is added is a <pre> tag, which again cannot contain an XSS vector.
-    // @todo Decide how to support non-html in the render API in
+    // @todo Decide how to support non-HTML in the render API in
     //   https://www.drupal.org/node/2501313.
     $output['#markup'] = SafeMarkup::set($output['#markup']);
     $response = new CacheableResponse($this->renderer->renderRoot($output), 200);