Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that...

Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that alternate Drupal 8 theme engines must implement auto-escape or they are not secure

core/lib/Drupal/Core/Render/theme.api.php

@@ -765,6 +765,12 @@ function hook_extension() {
 /**
  * Render a template using the theme engine.
  *
+ * It is the theme engine's responsibility to escape variables. The only
+ * exception is if a variable implements
+ * \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
+ * other variables are not escaped. The helper function
+ * theme_render_and_autoescape() may be used for this.
+ *
  * @param string $template_file
  *   The path (relative to the Drupal root directory) to the template to be
  *   rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.