erp5_json_editor: Sanitize and update description on schema

Remove forbidden properties when retrieve the properties from the schema. - template and options isn't part of json schema spec, so it isn't possible to use this feature globally. - template also could be used to call callbacks, so despite we block unsafe-eval, it still better remove it. - both were removed because it can lead to parameter injection, where by saving the form w/o editing anything, it changes the parameters, it adds non-visible values, which can up to some extend be a security risk. Update the description to display the "default" value as a hint, if it was provided into the schema.

erp5_json_editor: Sanitize and update description on schema
Remove forbidden properties when retrieve the properties from the schema. - template and options isn't part of json schema spec, so it isn't possible to use this feature globally. - template also could be used to call callbacks, so despite we block unsafe-eval, it still better remove it. - both were removed because it can lead to parameter injection, where by saving the form w/o editing anything, it changes the parameters, it adds non-visible values, which can up to some extend be a security risk. Update the description to display the "default" value as a hint, if it was provided into the schema.
a0d6ab94 · Rafael Monnerat · e209623a · a0d6ab94
Commit a0d6ab94 authored Mar 15, 2024 by Rafael Monnerat
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 0 deletions

bt5/erp5_json_editor/SkinTemplateItem/portal_skins/erp5_json_editor/json-editor.gadget.js.js ...em/portal_skins/erp5_json_editor/json-editor.gadget.js.js +25 -0

No files found.
--- a/bt5/erp5_json_editor/SkinTemplateItem/portal_skins/erp5_json_editor/json-editor.gadget.js.js
+++ b/bt5/erp5_json_editor/SkinTemplateItem/portal_skins/erp5_json_editor/json-editor.gadget.js.js
@@ -156,6 +156,31 @@
    return value.toString();
  };

+  if (JSONEditor.defaults.editors.object.prototype.original_getPropertySchema === undefined) {
+    JSONEditor.defaults.editors.object.prototype.original_getPropertySchema = JSONEditor.defaults.editors.object.prototype.getPropertySchema;
+  }
+
+  JSONEditor.defaults.editors.object.prototype.getPropertySchema = function (key) {
+    var schema = this.original_getPropertySchema(key);
+    /* Strip forbidden properties, that aren't part of json schema spec.
+        They are removed because the UI must be complaint with other usages of
+        json schemas.
+    */
+    delete schema.template;
+    delete schema.options;
+
+    /* Display default value as part of description */
+    if (schema.default !== undefined && typeof schema.default !== "object") {
+      if (schema.description !== undefined) {
+        schema.description = schema.description + " (default: " + schema.default + ")";
+      } else {
+        schema.description = " (default: " + schema.default + ")";
+      }
+    }
+    return schema;
+  }
+
+
  /* The original code would remove the field if value is undefined */
  JSONEditor.defaults.editors.object.prototype.setValue = function (value, initial) {
    var object_editor = this;