>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3550334. --> Reported by: [mherchel](https://www.drupal.org/user/118428) Related to !252 !194 !213 >>> <h3 id="overview">Overview</h3> <p><em>This bug was introduced in <span class="drupalorg-gitlab-issue-link project-issue-status-info project-issue-status-7"><a href="https://www.drupal.org/project/experience_builder/issues/3467959" title="Status: Closed (fixed)">#3467959: SDC and code component props should be able to receive HTML, editable in formatted text fields+widgets</a></span>.</em></p> <p>I have a basic text component. The schema invokes CKEditor:</p> <pre>props:<br>&nbsp; type: object<br>&nbsp; properties:<br>&nbsp;&nbsp;&nbsp; text:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; title: Text<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type: string<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; contentMediaType: text/html<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; x-formatting-context: block</pre><p>However when I output this as <code>{{ text }}</code>, I get escaped HTML. I can fix this by doing <code>{{ text|raw }}</code>, but this isn't in the examples, and obviously has security implications. I'd also argue, this negatively affects the developer experience. </p> <p>We had discussion in Slack at <a href="https://drupal.slack.com/archives/C072JMEPUS1/p1759666595931849">https://drupal.slack.com/archives/C072JMEPUS1/p1759666595931849</a>. One note is that</p> <blockquote><p>My concern is that this text component could be used in different page builders outside of Canvas. And the other page builders might not use CKEditor to filter. </p></blockquote> <p>This could result in a XSS vulnerability. </p> <h3 id="proposed-resolution">Proposed resolution</h3> <p>Output as `markup` so the text doesn't get double escaped.</p> > Related issue: [Issue #784672](https://www.drupal.org/node/784672) > Related issue: [Issue #3467959](https://www.drupal.org/node/3467959) > Related issue: [Issue #3463996](https://www.drupal.org/node/3463996) > Related issue: [Issue #3523841](https://www.drupal.org/node/3523841) > Related issue: [Issue #3556327](https://www.drupal.org/node/3556327) > Related issue: [Issue #3556506](https://www.drupal.org/node/3556506) > Related issue: [Issue #3556508](https://www.drupal.org/node/3556508)