Security Warning: merge tags as HTML attribute values

If your form confirmation is using a merge tag as a value for an HTML attribute, you may see the following warning:

Your confirmation message appears to contain a merge tag as the value for an HTML attribute. Depending on the attribute and field type, this might be a security risk.

<a href=”{My Text Field:1}”>Link</a>

This can result in a Cross Site Scripting (XSS) vulnerability for most field types. The following field types are safe to use as values for HTML attributes: Calculation, Email, File Upload, Time.

Regardless of the field type, if you decide to continue, please ensure you enable confirmation sanitization using the gform_sanitize_confirmation_message filter. This will remove all potentially dangerous scripts and tags from your confirmation.