Overview

It's currently possible to create a JavaScript component config entity with an invalid example image prop value by using a relative path. An error happens later when the component is being loaded:

Default images for Javascript Components must be a fully-qualified URL with both scheme and host.

component.yml shape to reproduce the issue:

name: Image URL repro
machineName: image_url_repro
props:
  properties:
    image:
      type: object
      $ref: json-schema-definitions://canvas.module/image
      title: Image
      examples:
        - src: ./hero.jpg
          alt: Example image

Proposed resolution

Move JavaScript specific checks to JavaScriptComponent::checkRequirements() which is called during discovery. This delegates to ComponentMetadataRequirementsChecker::check() for the unified checks, but can also do additional checks for code components - this image src check, the component name check, and then we can add #3587211: Empty strings are incorrectly allowed as example string prop values in JavaScript component config schema here too.

#6 mentions that SDCs are affected, but SDCs allow relative images by design, because they are considered relative to the SDC itself. We even have explicit code to handle this in SingleDirectoryComponent::rewriteExampleUrl(). I don't think we can or should break this feature, SDCs can continue to provide local images.

User interface changes

n/a

Issue fork canvas-3586958

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

balintbrews created an issue. See original summary.

balintbrews’s picture

balintbrews
he/him/his
Primary language Hungarian
Location Netherlands 🇪🇺
commented
Related issues: +#3586959: Validate image prop example URLs in Code Component metadata files
balintbrews’s picture

balintbrews
he/him/his
Primary language Hungarian
Location Netherlands 🇪🇺
commented
Issue summary: View changes
balintbrews’s picture

balintbrews
he/him/his
Primary language Hungarian
Location Netherlands 🇪🇺
commented
Issue summary: View changes
balintbrews’s picture

balintbrews
he/him/his
Primary language Hungarian
Location Netherlands 🇪🇺
commented
Title: JavaScript component config schema validation allows invalid example image prop values » Relative image paths are incorrectly allowed as example image prop values in JavaScript component config schema
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Component: … to be triaged » Component sources
Issue tags: +validation, +Needs tests

Arrrghhhhh! 😭

We did #3508725: ComponentMetadataRequirementsChecker::check() should validate that the example(s) actually match the JSON schema already because core didn't do #3493082: SDC does not respect JSON Schema validation (one of many Canvas-surfaced gaps in core's SDC implementation: #3462705: [META] Missing features in SDC needed for XB).

AFAICT this means that both SDCs and code components are affected, and the problem is not config schema, but \Drupal\canvas\ComponentMetadataRequirementsChecker. That's where examples are validated, because core's SDC implementation fails to validate them.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: Relative image paths are incorrectly allowed as example image prop values in JavaScript component config schema » Relative image paths are incorrectly allowed as example image prop values in SDCs and code component example values
Assigned: Unassigned » wim leers

I'll take this on.

balintbrews’s picture

balintbrews
he/him/his
Primary language Hungarian
Location Netherlands 🇪🇺
commented

@wim leers — Thank you! Just so you're aware, we have another similar issue that's been causing troubles: #3587211: Empty strings are incorrectly allowed as example string prop values in JavaScript component config schema.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

Hah, just connected that independently of you 😅 Please use the Related issues field 🙏

gauravvvv made their first commit to this issue’s fork.

longwave made their first commit to this issue’s fork.

longwave opened merge request !1034

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Assigned: wim leers » longwave
Status: Active » Needs work
Issue tags: -Needs tests

The forbidden_key_characters check can be refactored, will continue with that here as I think it makes sense, but done here for today.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Assigned: longwave » Unassigned
Status: Needs work » Needs review
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Issue summary: View changes

penyaskito made their first commit to this issue’s fork.

penyaskito’s picture

penyaskito
he/him
Primary language Spanish
Location 🧑🏽‍🌾 Seville 💃 Andalusia, UTC+2 🇪🇺
commented
Status: Needs review » Reviewed & tested by the community

  • penyaskito committed 09702c6c on 1.x authored by longwave 
    fix(Component sources): #3586958 Relative image paths are incorrectly...
penyaskito’s picture

penyaskito
he/him
Primary language Spanish
Location 🧑🏽‍🌾 Seville 💃 Andalusia, UTC+2 🇪🇺
commented
Status: Reviewed & tested by the community » Fixed

Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Fixed » Needs work
Issue tags: +Needs tests

This introduced a regression for SDCs.

#3516602: SDC `enum` props should have human-readable labels: use `meta:enum` made the presence of human-readable labels a hard requirement for SDCs. This relaxed that.

If #3516602 had added an explicit test for an invalid SDC, then this would've been caught. E.g. the canvas_test_sdc.card SDC could have an invalid sibling implementation that contains:

      enum:
        - lazy
        - eager
      meta:enum:
        lazy: Lazy

This SDC would then not be eligible for use in Canvas.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Related issues: +#3516602: SDC `enum` props should have human-readable labels: use `meta:enum`
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Assigned: Unassigned » wim leers
Status: Needs work » Postponed (maintainer needs more info)

See latest MR comment; the meta:enum check was previously bypassed for SDCs - was this an accident, or by design? The link to #3528998: Follow-up: SDC `enum` props should have translatable labels: use `meta:enum` implies it is by design, but I'm not sure what Canvas's intent is here.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Assigned: wim leers » longwave
Status: Postponed (maintainer needs more info) » Needs review
Issue tags: -Needs tests +Needs followup

@longwave is right — this is something #3516602: SDC `enum` props should have human-readable labels: use `meta:enum` failed to correctly do, despite it explicitly being the intent. It ended up only working for code components.

Would you mind opening the issue + an MR for this, @longwave? You've most recently touched these LoC and are very likely to have a specific implementation in mind 😇

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Assigned: longwave » Unassigned
Status: Needs review » Fixed
Issue tags: -Needs followup

The 

name: Component mismatch meta:enum, but still operational thanks to https://www.drupal.org/i/3528998

bit in tests/modules/canvas_test_sdc/components/component-mismatch-meta-enum/component-mismatch-meta-enum.component.yml was added Nov 28, 2025. AFTER #3516602: SDC `enum` props should have human-readable labels: use `meta:enum`. Ugh, this was simply relaxed in #3515074: Shape matching MUST work with the resolved equivalents of $refs AND must be compatible with core's upcoming $ref resolving in SDCs, see https://www.drupal.org/project/canvas/issues/3515074#comment-16364196.

Mea culpa 😬🙈

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

Opened #3588972: SDC `enum` props must have matching `meta:enum` labels