Magento 2 @escapeNotVerified

This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.

In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:

• \Magento\Framework\View\Element\AbstractBlock::escapeHtml
• \Magento\Framework\View\Element\AbstractBlock::escapeUrl
• \Magento\Framework\View\Element\AbstractBlock::escapeXssInUrl
• \Magento\Framework\View\Element\AbstractBlock::escapeQuote

Also note that some output is considered safe and should not be marked with such annotations:

• Enclosed in single quotes
• Enclosed in double quotes but without variables
• Type casting to bool, int
• Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML

I find it in devdocs of Magento2

Static Test

To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to dev\tests\static\testsuite\Magento\Test\Php.

This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.

It covers the following cases:

• /* @noEscape */ before output. Output doesn’t require escaping. Test is green.

• /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.

Read the Magento Docs at 2.0 or 2.1