Problem/Motivation
Drupal prevents loading translation strings that contain possibly dangerous tags. When you import translations or translate in the UI, each string is run through locale_string_is_safe(), and if that function returns FALSE, the string is rejected and not stored in the database.
However, both core and contributed projects can create translatable strings with these tags in them. If they do, and translators leave the tags in (as they generally should when translating strings with HTML in them), the translations will never get imported into sites.
Proposed resolution
Use a runtime assert() statement to test all translatable strings using code identical to locale_string_is_safe().
This will ensure that Drupal Core and contributed modules will not have any of these strings in their code, as long as there is at least one automated test that displays the string and all the tests pass. Which means that going forward, Core and any other projects that enforce passing automated tests before committing code, plus any projects that go back and fix tests that suddenly start failing, will be free of these untranslatable strings.
The patch will also need to fix the broken strings in Drupal core.
Remaining tasks
1. Make a patch that adds this assert to the TranslatableMarkup class, and fixes any Core strings that fail the test. [There was one such string in Core, plus another one in a test class. Both have been fixed in the patch.]
2. Review.
3. Commit.
User interface changes
Strings that are translated will not contain any "unsafe" tags that would make them not importable or not translatable in the translation UI.
API changes
A runtime assert in the TranslationMarkup constructor will verify that any translatable string has no unsafe tags, if runtime asserts are being checked (i.e., during tests only -- generally these asserts do not run on production sites).
Data model changes
No.
Release notes snippet
A runtime assert has been added to the TranslationMarkup constructor, which verifies that any translatable string has no unsafe tags. Unsafe tags are any HTML tags that are not listed in the locale_string_is_safe() function. Strings that don't pass this test are not importable when a site imports translations from localize.drupal.org, so it is important that Drupal Core and contributed projects not contain these unsafe strings. This assert will only be checked if runtime asserts are live, which is generally only true when tests are being run. Contributed project tests will see their existing tests fail after this change, if they have any unsafe strings in their code base, assuming that they have test coverage that triggers those strings to be displayed.