If your form confirmation is using a merge tag as a value for an HTML attribute, you may see the following warning:
Your confirmation message appears to contain a merge tag as the value for an HTML attribute. Depending on the attribute and field type, this might be a security risk.
Example:
Link
This can result in a Cross Site Scripting (XSS) vulnerability for most field types. The following field types are safe to use as values for HTML attributes: Calculation, Email, File Upload, Time.
Regardless of the field type, if you decide to continue, please ensure you enable confirmation sanitization using the gform_sanitize_confirmation_message filter. This will remove all potentially dangerous scripts and tags from your confirmation.
Security Warning: merge tags as HTML attribute values
Security Warning: merge tags as HTML attribute values