Commit df47582b authored by Rafael Monnerat's avatar Rafael Monnerat Committed by Kazuhiko Shiozaki

erp5_json_editor: Sanitize and update description on schema

  Remove forbidden properties when retrieve the properties from the schema.

      - template and options isn't  part of json schema spec, so it isn't possible to use this feature globally.
      - template also could be used to call callbacks, so despite we block unsafe-eval, it still better remove it.
      - both were removed because it can lead to parameter injection, where by saving the form w/o editing anything, it changes the parameters, it adds non-visible values, which can up to some extend be a security risk.

   Update the description to display the "default" value as a hint, if it was provided into the schema.
parent 837d4013
......@@ -156,6 +156,31 @@
return value.toString();
};
if (JSONEditor.defaults.editors.object.prototype.original_getPropertySchema === undefined) {
JSONEditor.defaults.editors.object.prototype.original_getPropertySchema = JSONEditor.defaults.editors.object.prototype.getPropertySchema;
}
JSONEditor.defaults.editors.object.prototype.getPropertySchema = function (key) {
var schema = this.original_getPropertySchema(key);
/* Strip forbidden properties, that aren't part of json schema spec.
They are removed because the UI must be complaint with other usages of
json schemas.
*/
delete schema.template;
delete schema.options;
/* Display default value as part of description */
if (schema.default !== undefined && typeof schema.default !== "object") {
if (schema.description !== undefined) {
schema.description = schema.description + " (default: " + schema.default + ")";
} else {
schema.description = " (default: " + schema.default + ")";
}
}
return schema;
}
/* The original code would remove the field if value is undefined */
JSONEditor.defaults.editors.object.prototype.setValue = function (value, initial) {
var object_editor = this;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment