Text formatted with CKEditor within Canvas gets double escaped when output

Created on 5 October 2025, about 1 month ago

Updated 7 October 2025, about 1 month ago

Overview

I have a basic text component. The schema invokes CKEditor:

props:
  type: object
  properties:
    text:
      title: Text
      type: string
      contentMediaType: text/html
      x-formatting-context: block

However when I output this as {{ text }}, I get escaped HTML. I can fix this by doing {{ text|raw }}, but this isn't in the examples, and obviously has security implications. I'd also argue, this negatively affects the developer experience.

We had discussion in Slack at https://drupal.slack.com/archives/C072JMEPUS1/p1759666595931849. One note is that

My concern is that this text component could be used in different page builders outside of Canvas. And the other page builders might not use CKEditor to filter.

This could result in a XSS vulnerability.

Proposed resolution

Output as `markup` so the text doesn't get double escaped.

🐛 Bug report

Status

Needs work

Version

1.0

Component

Shape matching

Created by

🇺🇸United States mherchel Gainesville, FL, US

Live updates comments and jobs are added and updated live.

RC blocker

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024