See my sandbox for a background, links and proof of concept code.
According to the berkeley paper linked there proper (context stack aware) autosanitization would be a USP in the FOSS market.

Of course no chance to get it complete in D8 core but hopefully a chance to prepare it to be done in contrib.
I have prepared the technical basics but the research what our twig implementation needs for this is beyound my insight.

First step agreed with chx: #1751486: Add context to TemplateData class

Comments

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Project: Twig for core » Drupal core
Version: » 8.x-dev
Component: Code » theme system
Issue tags: +Needs architectural review

Setting to core and needs-architectural-review to get it rolling.

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Issue summary: View changes

improved

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Issue summary: View changes

refined

star-szr’s picture

star-szr
he/him
Primary language English
commented
Issue summary: View changes
Status: Active » Closed (duplicate)

If I'm not mistaken, this was handled by #1825952: Turn on twig autoescape by default. Thanks @axel.rutz :)