Figure out what to do about attribute filtering in Twig

In Twig, it's possible to do (and core does this in a few places) code like this, from breadcrumb.html.twig, that directly prints variables inside of an HTML attribute (esp. URLs in <a href> and <img src>):

<a href="{{ item.url }}">{{ item.text }}</a>

As long as the preprocess function (like template_preprocess_breadcrumb() is calling the proper URL sanitization functions (in this case $link->getUrl()->toString()), that {{ item.url }} is fine. However, there may be an expectation that Twig does this URL sanitization for you, since it does do this for HTML text, and therefore people might accidentally introduce XSS vectors in their code.

This is not a new problem. In Drupal 7, this was also your responsibility. And even in Twig, all Twig authors have to deal with this, either by piping to the url_encode or |e('html_attr'), or using the attribute object, or dealing with it in the prepping code.

What's new to Drupal 8 is that preprocess functions no longer need to make variables used within HTML text or fragments safe, as that gets autoescaped, so there is a bit of an inconsistency currently that preprocess functions in HEAD explicitly sanitize URLs, but not anything else, and a corollary inconsistency in which variables Twig templates print via the attributes object and which ones it prints directly into attribute values, such as <a href="{{ item.url }}">.

Possible things we could do:

- Nothing. Trust people new to D8 will read the Twig docs about this issue.
- Document cases like the above (there are lots of them) in the template and explain why they are safe.
- Either override or submit upstream an override for html_attr that does protocol filtering as well so it can be used for either URLs or strings
- Other?