' safe. * * @var array */ protected static $safeStrings = array(); /** * Checks if a string is safe to output. * * @param string|\Drupal\Component\Utility\SafeStringInterface $string * The content to be checked. * @param string $strategy * The escaping strategy. Defaults to 'html'. Two escaping strategies are * supported by default: * - 'html': (default) The string is safe for use in HTML code. * - 'all': The string is safe for all use cases. * See the * @link http://twig.sensiolabs.org/doc/filters/escape.html Twig escape documentation @endlink * for more information on escaping strategies in Twig. * * @return bool * TRUE if the string has been marked secure, FALSE otherwise. */ public static function isSafe($string, $strategy = 'html') { // Do the instanceof checks first to save unnecessarily casting the object // to a string. return $string instanceOf SafeStringInterface || isset(static::$safeStrings[(string) $string][$strategy]) || isset(static::$safeStrings[(string) $string]['all']); } /** * Adds previously retrieved known safe strings to the safe string list. * * This method is for internal use. Do not use it to prevent escaping of * markup; instead, use the appropriate * @link sanitization sanitization functions @endlink or the * @link theme_render theme and render systems @endlink so that the output * can be themed, escaped, and altered properly. * * This marks strings as secure for the entire page render, not just the code * or element that set it. Therefore, only valid HTML should be * marked as safe (never partial markup). For example, you should never do: * @code * SafeMarkup::setMultiple(['<' => ['html' => TRUE]]); * @endcode * or: * @code * SafeMarkup::setMultiple(['