Updated: Comment #0

Problem/Motivation

In the interest of security should we sanitize _title_callback returns by default?

Proposed resolution

Discuss
Decide whether to sanitize by default - these are primarily used for breadcrumbs, head title and page title

Remaining tasks

Determine a way to replicate the old PASS_THROUGH logic for when the title contains html

User interface changes

None

API changes

_title_callback no longer needs to return a sanitized string

Follow-up from #2100397: [meta] Ensure that DX issues identified by a recent review are covered with individual issues.