Twig: The `spaceless` filter implicitly marks its output as safe

### Description The `spaceless` filter is registered with `is_safe => ['html']`, which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying `spaceless` to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote `|raw` and autoescape is enabled. Example: ```twig {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} ``` The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same `is_safe` flag. ### Resolution The `spaceless` filter no longer marks its output as safe. Documentation has been updated to warn that `spaceless` should not be applied to unsanitised user input. ### Credits Twig would like to thank Pierre Rudloff for reporting the issue.