>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3589136. --> Reported by: [philipnorton42](https://www.drupal.org/user/545978) Related to !46 >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>I was looking at the templates of this module today and I noticed a small issue with the template localgov-waste-collection-collection-item.html.twig. This uses a URL that can be entered by the user in an insecure way.</p> <pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {{ 'Public holiday - services may be affected. Check service updates on &lt;a href="@link"&gt;our website&lt;/a&gt;'|t({<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; '@link': service_updates_path<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; })|raw }}</pre><p>This allows potentially insecure URLs to be added to the "Path or URL for service updates" field in the Public holidays section of the admin area, which are then not escaped when rendered in the template.</p> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <p>The documentation on placeholders states that the ":variable" format should be used for URL parameters to remove any dangerous protocols.</p> <p>See: <a href="https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Render%21FormattableMarkup.php/function/FormattableMarkup%3A%3AplaceholderFormat/11.x">https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Render%21FormattableMarkup.php/function/FormattableMarkup%3A%3AplaceholderFormat/11.x</a></p> <p>Essentially, the template should change to be this:</p> <pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {{ 'Public holiday - services may be affected. Check service updates on &lt;a href=":link"&gt;our website&lt;/a&gt;'|t({<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ':link': service_updates_path<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; })|raw }}</pre>