The insecure examples shown on FormattableMarkup::placeholderFormat() does not include string delimiters.
$this->placeholderFormat('<@foo>text</@foo>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a @foo>link text</a>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a href="@foo">link text</a>, ['@foo' => $some_variable]);
$this->placeholderFormat('<a title="@foo">link text</a>, ['@foo' => $some_variable]);The correct code is the following one.
$this->placeholderFormat('<@foo>text</@foo>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a @foo>link text</a>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a href="@foo">link text</a>', ['@foo' => $some_variable]);
$this->placeholderFormat('<a title="@foo">link text</a>', ['@foo' => $some_variable]);Active
11.0 🔥
documentation
I would rather wait 📌 Correct the comment grammar Active is fixed, before creating a merge request for this issue.
Can we use the full issue summary template please.
Committed/pushed to 11.x and cherry-picked to 11.2.x, thanks!
Automatically closed - issue fixed for 2 weeks with no activity.