Why twig extension are "HTML safe" by default ?

[lyrixx]

I created a new twig extension with the maker bundle, and I saw that

    public function getFilters(): array
    {
        return [
            new TwigFilter('my_filter', [$this, 'doSomething'], ['is_safe' => ['html']]),
        ];
    }

IMHO, this should not be added because it's a major security issue.
If you really want to make things easy for new comer, it should be commented by default.

[stof]

I totally agree with @lyrixx. Being not safe by default in Twig is a default value based on security. Any filter marked as safe without actually being 100% safe is opening a XSS hole.

[weaverryan]

I agree also - we were trying to show an example, but it’s not a good idea