In #2565895: Add a new :placeholder to SafeMarkup::format() for URLs that handles bad protocols → we added :variable placeholders so that URLs can be secured from bad protocols. However this is not possible in Twig {% trans %}, which has the equivalent of @ and % only.
Add a Twig filter and placeholder for {% trans %}.
Commit
None.
A new filter and placeholder for {% trans %}.
None.
#2565895: Add a new :placeholder to SafeMarkup::format() for URLs that handles bad protocols → which introduced this on the PHP side was an RC/release blocking critical. It should have already added support for :placeholder in Twig. Not allowing Twig templates to use the URL filtering like the rest of the Drupal codebase may lead to security issues and translatable string inconsistencies (Eg. a string properly using the :placeholder in PHP will not be reusable in templates because Twig's %trans% lacks support for it).
Needs work
11.0 🔥
theme system
A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.
(Drupal 8 Multilingual Initiative) is the tag used by the multilingual initiative to mark core issues (and some contributed module issues). For versions other than Drupal 8, use the i18n (Internationalization) tag on issues which involve or affect multilingual / multinational support. That is preferred over Translation.
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Left some comments in the MR.
Believe we may still need the CR and follow up issue mentioned before so leaving those tags.
I believe comments have been addressed but we still need the CR and the followup.