In Drupal's Twig implementation, an array output with {{ variable }} or {{ variable | render_var }} is treated as a render array and processed by the theme layer.
A less common feature is the ability construct render arrays directly in Twig, for example: {{ {"#markup": "Hello, world!"} }}. An indirect side-effect of this is that users with access to Twig can construct malicious render arrays and execute code on the server, which was recognized as a security vulnerability.
To resolve this issue, every array variable passed to a Twig template is automatically wrapped by a \Drupal\Core\Render\ProtectedRenderArray object. ProtectedRenderArrayobjects act the same as arrays in most scenarios, except that they cannot be modified or created within a Twig template.
With this change, trying to render an un-wrapped array in a template will result in a thrown exception. It is recommended that all render arrays are constructed in PHP before being passed to the theme layer.
