Change String::format()'s '@' and '%' placeholders to be auto-escaped rather than always-escaped

That is a good idea to do regardless of what else we do.

Do we need additional tests for this?

Else this would be RTBC from my side.

Nice work!

Lol, nice.

I re-reviewed the patch and this is RTBC.

The beta evaluation made me laugh :) - Yes, I really want to keep double-escaped text1111!!!!1111

j/k - Let's get this in.

I think the changes in the twig files really show that this is a very nice idea/patch :) Since this is an area that is used a lot at runtime, are there any performance concerns for the switch from String::checkPlain() to SafeMarkup::escape()?

+++ b/core/lib/Drupal/Component/Utility/String.php
@@ -74,19 +74,21 @@ public static function decodeEntities($text) {
+   *   - !variable: Inserted as is, with no sanitization or formatting. Only
+   *     use this when the resulting string is being generated for one of:

Just a very minor point here, "use" can go back up at the end of the previous line. Can be easily fixed on commit.

#14: One function call more overall, but if escaped already, saving the call to ::checkPlain().

So in the worst case one function call more, in the best case, saving the check_plain operation.

This seems to make a lot of sense, thank you very much @effulgentsia!

Nice. Committed b33a46b and pushed to 8.0.x. Thanks!

Thank you for adding the beta evaluation to issue summary.