Whitelisting Tags in Module Output

Here's how to whitelist HTML tags in your module output that are normally stripped out by the XSS filter:

    $tagList = array('input');
  
    return array(
      '#markup' => $buffer,
      '#allowed_tags' => array_merge(\Drupal\Component\Utility\Xss::getAdminTagList(), $tagList),
    );

And here's how to allow data URLs in your module output for displaying images with data that you've already pulled in from a data source (code updated 2017-12-11 to a better format that avoids whitescreening in certain use cases):

  $allowedProtocols = \Drupal\Component\Utility\URLHelper::getAllowedProtocols();
  $allowedProtocols[] = 'data';
  \Drupal\Component\Utility\URLHelper::setAllowedProtocols($allowedProtocols);