Change record status: 
Project: 
Introduced in branch: 
8.0.x
Description: 

SafeMarkup::format() and t() accept placeholders such as @variable and %variable. A new :variable placeholder for URLs used in HTML attributes such as "href" and "src" has been added.

:variable values are filtered for dangerous protocols using UrlHelper::stripDangerousProtocols() and escaped to HTML using Html::escape(). Use this when passing in a URL, such as when using the "src" or "href" attributes, ensuring the value is always wrapped in quotes:

  • Secure: <a href=":variable">@variable</a>
  • Insecure: <a href=:variable>@variable</a>

When :variable comes from arbitrary user input, the result is secure, but not guaranteed to be a valid URL (which means the resulting output could fail HTML validation). To guarantee a valid URL, use Url::fromUri($user_input)->toString() (which either throws an exception or returns a well-formed URL) before passing the result into a :variable placeholder.

To illustrate, this placeholder can be used like this:

// The bad "javascript:" protocol will be stripped out of this URL.
$output = t('Foo bar.', [':url' => 'javascript:XSS']);

Related change records

See Twig autoescape enabled and text sanitization APIs updated for a full list of related change records.

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done