Problem/Motivation

The FormattableMarkup::placeholderFormat() doc says about :variable placeholders:

Use when the return value is to be used as a URL value of an HTML attribute. Only the "href" attribute is supported.
[...]
Use this when using the "href" attribute, ensuring the value is always wrapped in quotes.

Is there a reason to restrict it to href attributes?
I think it makes sense to use this kind of placeholder on other attributes containing URLs that could be an XSS vector:

  • src attribute on iframe elements
  • action attribute on form element
  • data attributes that store a URL (that is used later in JS for example)

:variable placeholders are sanitized like this:

  1. Dangerous protocols are removed.
  2. The value is HTML escaped.

I think the only reason we don't want use it on any attribute is that step 1 would mangle non-URL attributes containing a : character. But it totally makes sense on any attribute that will always contain a URL.

Steps to reproduce

Proposed resolution

Edit the docblock to be about any attribute containing a URL.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

prudloff created an issue. See original summary.

prudloff’s picture

prudloff commented
Title: Don't FormattableMarkup::placeholderFormat() doc for :variable placeholders to href attribute » Don't restrict FormattableMarkup::placeholderFormat() doc for :variable placeholders to href attributes
prudloff’s picture

prudloff commented

Just noticed we give this example in the doc:

// Use a : placeholder inside an HTML tag.
$this->placeholderFormat('<img src=":foo" />', [
  ':foo' => '/image.png',
]);

While still saying that only href is supported.