Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Several filters in the twig/* extras packages are registered with is_safe => ['all'], which tells Twig's autoescaper to treat their output as safe in every context (html, js, css, url, …). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context. Affected filters: html_to_markdown (twig/markdown-extra) emits plain Markdown text. league/html-to-markdown decodes HTML entities when producing code spans and fenced blocks, …