Xss::filter() and Xss::filterAdmin() no longer mark their results as safe markup, in order to avoid early sanitization and pollution of the safe string list.
To filter strings where a render array is used, you can use the #markup instead, since this will automatically apply the same filtering strategy as Xss::filterAdmin() and render it as a safe string, but with less memory and function call overhead following #2506581: Remove SafeMarkup::set() from Renderer::doRender.
For example:
$local_render_array['#markup'] = $html_string;
The list of tags can be set as well, for example:
$local_render_array[
'#markup' => $html_string,
'#allowed_tags' => ['strong', 'em'],
];
See Twig autoescape enabled. New SafeMarkup class added. for more information.
Additionally, SafeMarkup::checkAdminXss() and SafeMarkup::xssFilter() have been removed before 8.0.0 because it may have unexpected results when a string has been marked safe using a different filtering strategy. If the result is not being used directly in the rendering system (for example, when its result is being combined with other strings before rendering), use Xss::filterAdmin() or Xss::filter(). Otherwise, as above, use a #markup render array element to mark the result as safe.
Related change records
See Twig autoescape enabled and text sanitization APIs updated for a full list of related change records.
