X-Git-Url: http://aleph1.co.uk/gitweb/?a=blobdiff_plain;f=web%2Fcore%2Flib%2FDrupal%2FCore%2FRender%2Ftheme.api.php;h=2bb2eb9aa8fd9615335c14d037d4c01461321a2c;hb=5b8bb166bfa98770daef9de5c127fc2e6ef02340;hp=754641cce75607868bbd686ed6bf1da7ec7d41f5;hpb=9917807b03b64faf00f6a1f29dcb6eafc454efa5;p=yaffs-website

diff --git a/web/core/lib/Drupal/Core/Render/theme.api.php b/web/core/lib/Drupal/Core/Render/theme.api.php
index 754641cce..2bb2eb9aa 100644
--- a/web/core/lib/Drupal/Core/Render/theme.api.php
+++ b/web/core/lib/Drupal/Core/Render/theme.api.php
@@ -765,6 +765,12 @@ function hook_extension() {
 /**
  * Render a template using the theme engine.
  *
+ * It is the theme engine's responsibility to escape variables. The only
+ * exception is if a variable implements
+ * \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
+ * other variables are not escaped. The helper function
+ * theme_render_and_autoescape() may be used for this.
+ *
  * @param string $template_file
  *   The path (relative to the Drupal root directory) to the template to be
  *   rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.