Cross-Site Scripting (XSS)
With the adoption of Twig as the templating system, prevention against XSS attacks has been significantly improved. There are two main consequences of this adoption. The first one addresses the need for separating presentation from business logic. In other words, themers and developers can no longer directly access Drupal’s APIs, nor can they run SQL queries from templates. To expose any such functionality, Twig extensions and filters can be used, but they require the logic to be encapsulated inside a module.
The second consequence is in the form of Twig auto-escaping. This means that any string not specifically marked as safe will be escaped by Twig using the native PHP htmlspecialchars() function.
Sanitization methods in Drupal
Twig auto-escapes any string that is output using the normal notation, as follows:
{{ variable_name }}
However, there are cases in which the variable has already been marked safe, and Twig no longer escapes...
