{% trans %} (and other parts of templates) are unable to use URL escaping

Created on 26 September 2015, over 9 years ago
Updated 29 May 2025, 3 days ago

Problem/Motivation

In #2565895: Add a new :placeholder to SafeMarkup::format() for URLs that handles bad protocols we added :variable placeholders so that URLs can be secured from bad protocols. However this is not possible in Twig {% trans %}, which has the equivalent of @ and % only.

Proposed resolution

Add a Twig filter and placeholder for {% trans %}.

Remaining tasks

Commit

User interface changes

None.

API changes

A new filter and placeholder for {% trans %}.

Data model changes

None.

Why this should be an RC target

#2565895: Add a new :placeholder to SafeMarkup::format() for URLs that handles bad protocols which introduced this on the PHP side was an RC/release blocking critical. It should have already added support for :placeholder in Twig. Not allowing Twig templates to use the URL filtering like the rest of the Drupal codebase may lead to security issues and translatable string inconsistencies (Eg. a string properly using the :placeholder in PHP will not be reusable in templates because Twig's %trans% lacks support for it).

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component

theme system

Created by

🇫🇮Finland lauriii Finland

Live updates comments and jobs are added and updated live.
  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

  • D8MI

    (Drupal 8 Multilingual Initiative) is the tag used by the multilingual initiative to mark core issues (and some contributed module issues). For versions other than Drupal 8, use the i18n (Internationalization) tag on issues which involve or affect multilingual / multinational support. That is preferred over Translation.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Triaged core major

    There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
Production build 0.71.5 2024