Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Drupal.

  1. Use Drupal's input sanitisation and output escaping functions:

    • \Drupal\Component\Utility\Html::escape($string) — HTML context
    • \Drupal\Component\Utility\UrlHelper::filterQueryParameters() — URL context
    • Use the t() function for user-facing strings and Twig's auto-escaping in templates.

  2. Never mark user input as Markup::create() without thorough sanitisation.

Back to top