`GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput()` allows garbage to pile up [#3524401]

Overview

Unlike for the block component source plugin (see #3524399: `BlockComponent::validateComponentInput()` allows garbage to pile up), no garbage values are AFAICT allowed for the sdc and js component sources.

This is thanks to GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput() calling

$this->componentValidator->validateProps($resolvedInputValues, $this->getSdcPlugin());

which would complain about unused props.

~~… or so I think 😅~~ Nope: see @akhil babu's research in #5.

Proposed resolution

~~Add test coverage to prove that the SDC + JS component sources are unaffected.~~ → disproven by @akhil babu in #5.

Test coverage: a new GeneratedFieldExplicitInputUxComponentSourceBase::testValidateComponentInput(), that tests garbage values being set for the sdc.xb_test_sdc.props-slotsSDC.
Fix GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput().

User interface changes

None.

Issue fork canvas-3524401

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3524401-generatedfieldexplicitinputuxcomponentsourcebasevalidatecomponentinput-allows-garbage changes, plain diff MR !424
Check out this branch for the first time

Check out existing branch, if you already have it locally

Issue fork experience_builder-3524401

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

1 hidden branch

3524401-generatedfieldexplicitinputuxcomponentsourcebasevalidatecomponentinput-allows-garbage

changes, plain diff MR !1039

Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

14 May 2025 at 11:36

wim leers created an issue. See original summary.

Comment #2

wim leers

Ghent 🇧🇪🇪🇺

commented 14 May 2025 at 12:20

Issue tags:

+garbage

Comment #3

akhil babu

he/him

commented 14 May 2025 at 13:07

Could you please give an example for 'garbage value'?

Comment #4

wim leers

Ghent 🇧🇪🇪🇺

commented 14 May 2025 at 13:38

An SDC with the following in its *.component.yml:

props:
  type: object
  required:
    - heading
  properties:
    heading:
      type: string
      title: Heading
      examples:
        - blabla

… yet the explicit input it receives is not

heading: "something"

but

heading: "something"
foo: :"bar"

IOW: some key-value pairs that are not expected by the SDC!

Comment #5

akhil babu

he/him

commented 15 May 2025 at 10:59

Thanks @wim leers🙏. I just tested this using the 'Heading' SDC, by adding an extra property 'textUnwanted' when making a curl request to the endpoint /xb/api/v0/layout/xb_page/5 and the changes were successfully saved. There were no validation errors regarding the unexpected prop

curl --location 'https://starshot.ddev.site/xb/api/v0/layout/xb_page/5' \
--header 'accept: */*' \
--header 'accept-language: en-US,en-GB;q=0.9,en;q=0.8' \
--header 'content-type: application/json' \
--header 'origin: https://starshot.ddev.site' \
--header 'priority: u=1, i' \
--header 'referer: https://starshot.ddev.site/xb/xb_page/5/editor/component/fdc18261-ef6e-41bd-bdba-99ecc72bf359' \
--header 'sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"' \
--header 'sec-ch-ua-mobile: ?0' \
--header 'sec-ch-ua-platform: "Linux"' \
--header 'sec-fetch-dest: empty' \
--header 'sec-fetch-mode: cors' \
--header 'sec-fetch-site: same-origin' \
--header 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36' \
--header 'x-csrf-token: PIqRn04kuCGgm5leY3w_pc0Oq9ZGv0mzWXds0SE7cmg' \
--header 'Cookie: SSESS1a128ff57fee5bd2b5663cea7bd52db5=n4epfmoesptq7m91dcj6skrvtl' \
--data '{
  "layout": [
    {
      "nodeType": "region",
      "id": "content",
      "name": "Content",
      "components": [
        {
          "slots": [],
          "nodeType": "component",
          "type": "sdc.experience_builder.heading",
          "uuid": "fdc18261-ef6e-41bd-bdba-99ecc72bf359"
        }
      ]
    }
  ],
  "model": {
    "fdc18261-ef6e-41bd-bdba-99ecc72bf359": {
      "name": "Heading",
      "resolved": {
        "text": "A heading element new text",
        "style": "primary",
        "element": "h1",
        "textUnwanted": "An unwanted heading" // ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️Invalid prop
      },
      "source": {
        "text": {
          "expression": "ℹ︎string␟value",
          "sourceType": "static:field_item:string",
          "value": [
            {
              "value": "A heading element new text"
            }
          ]
        },
        "textUnwanted": { // ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️Invalid prop
          "expression": "ℹ︎string␟value",
          "sourceType": "static:field_item:string",
          "value": [
            {
              "value": "An unwanted heading"
            }
          ]
        },
        "style": {
          "expression": "ℹ︎list_string␟value",
          "sourceType": "static:field_item:list_string",
          "value": [
            {
              "value": "primary"
            }
          ],
          "sourceTypeSettings": {
            "storage": {
              "allowed_values": [
                {
                  "value": "primary",
                  "label": "primary"
                },
                {
                  "value": "secondary",
                  "label": "secondary"
                }
              ]
            }
          }
        },
        "element": {
          "expression": "ℹ︎list_string␟value",
          "sourceType": "static:field_item:list_string",
          "value": [
            {
              "value": "h1"
            }
          ],
          "sourceTypeSettings": {
            "storage": {
              "allowed_values": [
                {
                  "value": "div",
                  "label": "div"
                },
                {
                  "value": "h1",
                  "label": "h1"
                },
                {
                  "value": "h2",
                  "label": "h2"
                },
                {
                  "value": "h3",
                  "label": "h3"
                },
                {
                  "value": "h4",
                  "label": "h4"
                },
                {
                  "value": "h5",
                  "label": "h5"
                },
                {
                  "value": "h6",
                  "label": "h6"
                }
              ]
            }
          }
        }
      }
    }
  },
  "entity_form_fields": {
    "langcode[0][value]": "en",
    "revision_log[0][value]": "",
    "title[0][value]": "Untitled page",
    "path[0][alias]": "",
    "path[0][source]": "/page/5",
    "path[0][langcode]": "en",
    "image[media_library_selection]": "",
    "description[0][value]": ""
  }
}'

Just to confirm, does this mean validateComponentInput() currently allows unexpected properties (i.e., garbage values) for SDCs?

Comment #6

wim leers

Ghent 🇧🇪🇪🇺

commented 15 May 2025 at 13:59

Title:	Test coverage to prove `GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput()` disallows garbage values	» `GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput()` allows garbage to pile up
Issue summary:	View changes

Just to confirm, does this mean validateComponentInput() currently allows unexpected properties (i.e., garbage values) for SDCs?

Indeed it does 😭

Matching the title of #3524399: `BlockComponent::validateComponentInput()` allows garbage to pile up then. 😭

Updated issue summary with an adjusted proposed resolution.

Credited you for the valuable research you've already done here, @akhil babu! 🙏

Comment #7

16 May 2025 at 09:57

akhil babu opened merge request !1039

Comment #8

akhil babu

he/him

commented 16 May 2025 at 10:43

Thanks @wim leers. I have updated GeneratedFieldExplicitInputUxComponentSourceBase::validateComponentInput() and added a check for unexpected props.

However, no exception was thrown for the curl request mentioned in #5, and the heading component was still added to the canvas. The expected error only appeared when publishing the page

Shouldn't the error have been thrown at the time of the request?

I also tried to validate 'missing' props but that resulted in many test failures as some props are not always part of user input (Like 'attribute' prop in sdc.experience_builder.my-hero component)

Comment #9

wim leers

Ghent 🇧🇪🇪🇺

commented 23 May 2025 at 13:36

Issue tags:

+stable blocker

Comment #10

lauriii

he/him

Finnish

Finland

commented 11 August 2025 at 20:06

Issue tags:

-stable blocker

Comment #11

11 August 2025 at 20:06

Project:	Experience Builder	» Drupal Canvas
Version:	0.x-dev	» 1.x-dev

Experience Builder has been renamed to Drupal Canvas in preparation for its beta release. You can now track issues on the new project page.

Comment #12

17 December 2025 at 14:25

attilatilman made their first commit to this issue’s fork.

Comment #13

17 December 2025 at 14:26

attilatilman opened merge request !424

Comment #14

22 December 2025 at 23:56

larowlan made their first commit to this issue’s fork.

Comment #15

larowlan

🇦🇺🏝.au GMT+10

commented 22 December 2025 at 23:58

Status:

Active

» Needs review

Updated the MR based on my review - but I'm wondering if we should just do GC on those properties in \Drupal\canvas\ComponentSource\ComponentSourceInterface::clientModelToInput instead rather than raise an Exception?