This is the weirdest issue I've ever faced in a long time. I have a URL that is authored inside a multifield. The URL has an underscore eg. http://example.net/_pinkPanther_is_pink it is currently inside ${item.link}
When I do <a href="${item.link}">Click</a> <br> ${item.link} and inspect, it renders as
<a href="http://example.net/__pinkPanther_is_pink">Click</a>
<br> http://example.net/_pinkPanther_is_pink
If you notice both values are coming from the same variable in Sightly still when the link is used inside href of anchor tag there is double underscore added by God know who after example.net/
Does anybody have a clue as to what on earth is going on ?
That's caused by the display context aware XSS protection. Sightly/HTL automatically detects the display context of a HTL expression, using its location within the structure of the HTML page to detect it.
For example, if the expression appears in a place that would produce a text once rendered, then it is said to be in a text context. If it is found within the value of an attribute, then it is said to be in an attribute context, and so forth. More about contexts in the htl specification page.
In your example, the implicit context inside the href attribute is uri while in the later case is text.
In order to overwrite this behaviour, you may explicitly set the context like href="${item.link @ context='text'}.