SafeMarkup::format() and t() accept placeholders such as
%variable. A new
:variable placeholder for URLs used in HTML attributes such as "href" and "src" has been added.
:variable values are filtered for dangerous protocols using UrlHelper::stripDangerousProtocols() and escaped to HTML using Html::escape(). Use this when passing in a URL, such as when using the "src" or "href" attributes, ensuring the value is always wrapped in quotes:
:variable comes from arbitrary user input, the result is secure, but not guaranteed to be a valid URL (which means the resulting output could fail HTML validation). To guarantee a valid URL, use
Url::fromUri($user_input)->toString() (which either throws an exception or returns a well-formed URL) before passing the result into a
To illustrate, this placeholder can be used like this:
Related change records
See Twig autoescape enabled and text sanitization APIs updated for a full list of related change records.