@json-editor/json-editor 2.15.2 → 2.16.0

package/docs/form-submission.html

@@ -24,7 +24,7 @@
         Try yourself, submit the form and look in the network tab of the developer tool.
     </p>
     <div class="form-group"></div>
-    <form action="/docs/form-submission.html" method="get">
+    <form method="get">
         <input id="input" type="hidden" name="json">
         <div id='editor-container'></div>
         <input id="submit" class="btn btn-primary" width="100" type="submit">

package/docs/index.html

@@ -10,9 +10,27 @@
     <script src="./scripts/ajv-validator.js"></script>
     <link rel='stylesheet' id='theme-link'>
     <link rel='stylesheet' id='iconlib-link'>
+    <style>
+        .maintenance-notice {
+            background-color: #fff3cd;
+            border: 1px solid #ffeaa7;
+            border-radius: 4px;
+            padding: 12px 16px;
+            margin-bottom: 20px;
+            color: #856404;
+        }
+        .maintenance-notice a {
+            color: #533102;
+            text-decoration: underline;
+        }
+    </style>
 </head>
 <body>
 <div class="container grid-xl" style="padding-top: 15px; padding-bottom: 30px;">
+    <div class="maintenance-notice">
+        <strong>Maintenance Mode:</strong> This library is in maintenance mode. 
+        For active development, consider <a href="https://github.com/germanbisurgi/jedison" target="_blank">Jedison</a>.
+    </div>
     <div class="row columns md:flex">
         <div class='col-7 col-md-7 w-7/12'>
             <h1>Editor</h1>

package/package.json

@@ -2,7 +2,7 @@
   "name": "@json-editor/json-editor",
   "title": "JSONEditor",
   "description": "JSON Schema based editor",
-  "version": "2.15.2",
+  "version": "2.16.0",
   "main": "dist/jsoneditor.js",
   "author": {
     "name": "Jeremy Dorn",

package/src/editor.js

@@ -176,7 +176,7 @@ export class AbstractEditor {
     const editor = this.jsoneditor.getEditor(path)
     const value = editor ? editor.getValue() : undefined
 
-    if (!editor || !editor.dependenciesFulfilled || !value) {
+    if (!editor || !editor.dependenciesFulfilled || value === undefined || value === null) {
       this.dependenciesFulfilled = false
     } else if (Array.isArray(choices)) {
       this.dependenciesFulfilled = choices.some(choice => {
@@ -521,6 +521,20 @@ export class AbstractEditor {
     }
   }
 
+  purify (val) {
+    if (typeof val !== 'string') {
+      return val
+    }
+
+    if (window.DOMPurify) {
+      val = window.DOMPurify.sanitize(val)
+    } else {
+      val = this.cleanText(val)
+    }
+
+    return val
+  }
+
   getHeaderText (titleOnly) {
     if (this.header_text) return this.header_text
     else if (titleOnly) return this.translateProperty(this.schema.title)

package/src/editors/hidden.js

@@ -84,6 +84,7 @@ export class HiddenEditor extends AbstractEditor {
    * This is overridden in derivative editors
    */
   sanitize (value) {
+    value = this.purify(value)
     return value
   }
 

package/src/editors/multiselect.js

@@ -178,6 +178,7 @@ export class MultiSelectEditor extends AbstractEditor {
   }
 
   sanitize (value) {
+    value = this.purify(value)
     if (this.schema.items.type === 'boolean') return !!value
     else if (this.schema.items.type === 'number') return 1 * value || 0
     else if (this.schema.items.type === 'integer') return Math.floor(value * 1 || 0)

package/src/editors/string.js

@@ -18,6 +18,7 @@ export class StringEditor extends AbstractEditor {
   }
 
   setValue (value, initial, fromTemplate) {
+    value = this.purify(value)
     value = this.applyConstFilter(value)
 
     if (this.template && !fromTemplate) return
@@ -362,6 +363,7 @@ export class StringEditor extends AbstractEditor {
    * This is overridden in derivative editors
    */
   sanitize (value) {
+    value = this.purify(value)
     return value
   }
 

package/src/editors/uuid.js

@@ -26,6 +26,7 @@ export class UuidEditor extends StringEditor {
   }
 
   sanitize (value) {
+    value = this.purify(value)
     if (!this.testUuid(value)) value = this.uuid
     return value
   }

package/tests/codeceptjs/editors/purify_test.js

@@ -0,0 +1,26 @@
+/* global Feature Scenario */
+
+Feature('purify')
+
+Scenario('Should @purify @optional XSS from direct input', async ({ I }) => {
+  I.amOnPage('purify.html')
+  I.waitForElement('[name="root[string]"]')
+  I.fillField('[name="root[string]"]', 'bla</script><script>alert(1)</script>')
+  I.pressKey('Tab')
+  I.wait(1)
+  I.click('.get-value')
+  I.wait(1)
+  I.waitForValue('#value', '{"string":"bla"}')
+})
+
+Scenario('Should @purify @optional XSS from setValue() via textarea', async ({ I }) => {
+  I.amOnPage('purify.html')
+  I.waitForElement('#value')
+  I.fillField('#value', 'bla</script><script>alert(1)</script>')
+  I.pressKey('Tab')
+  I.click('.set-value')
+  I.wait(2)
+  I.click('.get-value')
+  I.wait(1)
+  I.waitForValue('#value', '{"string":"bla"}')
+})

package/tests/codeceptjs/issues/issue-gh-1559_test.js

@@ -0,0 +1,15 @@
+/* global Feature Scenario */
+
+Feature('issues')
+
+Scenario('GitHub issue 1559 should remain fixed @issue-1559', async ({ I }) => {
+  I.amOnPage('issues/issue-gh-1559.html')
+  I.waitForElement('.je-ready')
+  I.dontSeeElement('[data-schemapath="root.dependent_on_false"]')
+  I.click('[data-schemapath="root.dependent_on_true"] input')
+  I.waitForElement('[data-schemapath="root.dependent_on_false"]', 2)
+  I.seeElement('[data-schemapath="root.dependent_on_false"]')
+  I.click('[data-schemapath="root.dependent_on_true"] input')
+  I.waitForInvisible('[data-schemapath="root.dependent_on_false"]', 2)
+  I.dontSeeElement('[data-schemapath="root.dependent_on_false"]')
+})

package/tests/docker-compose-local.yml

@@ -1,4 +1,5 @@
-version: '3'
 services:
   chrome:
-    image: seleniarm/standalone-chromium:114.0
+    image: seleniarm/standalone-chromium
+  firefox:
+    image: seleniarm/standalone-firefox

package/tests/pages/issues/issue-gh-1559.html

@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8"/>
+    <title>GitHub Issue 1559 - Dependencies with false values not fulfilled</title>
+    <script src="../../../dist/jsoneditor.js"></script>
+    <link rel="stylesheet" id="theme-link" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css">
+    <link rel="stylesheet" id="iconlib-link" href="https://use.fontawesome.com/releases/v5.6.1/css/all.css">
+</head>
+<body>
+
+<div class="container">
+    <h1>Test - Dependencies with false values not fulfilled</h1>
+    <p>When <code>dependent_on_true</code> is unchecked (false), the <code>dependent_on_false</code> field should appear. This tests GitHub issue #1559 - dependencies with false values not being fulfilled.</p>
+    <div id='editor-container'></div>
+</div>
+
+<script>
+  var editorContainer = document.querySelector('#editor-container')
+  var schema = {
+    "type": "object",
+    "title": "Test configuration",
+    "description": "Test configuration for dependencies with false values (GitHub issue #1559)",
+    "properties": {
+        "master_field": {
+            "type": "boolean",
+            "title": "Master field",
+            "format": "checkbox",
+            "description": "Master toggle field.",
+            "default": true
+        },
+        "dependent_on_true": {
+            "type": "boolean",
+            "format": "checkbox",
+            "title": "Dependent on true",
+            "description": "This field depends on master_field being true.",
+            "default": true,
+            "options": {
+                "dependencies": {
+                    "master_field": true
+                }
+            }
+        },
+        "dependent_on_false": {
+            "type": "string",
+            "format": "password",
+            "title": "Dependent on false",
+            "description": "This field depends on dependent_on_true being false.",
+            "minLength": 1,
+            "options": {
+                "dependencies": {
+                    "dependent_on_true": false
+                }
+            }
+        }
+    }
+  }
+
+  var editor = new JSONEditor(editorContainer, {
+    schema: schema,
+    theme: 'bootstrap4',
+    iconlib: 'fontawesome',
+    show_errors: 'always'
+  })
+</script>
+
+</body>
+</html>

package/tests/pages/purify.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8"/>
+  <title>Purify</title>
+  <script src="https://cdn.jsdelivr.net/npm/dompurify@3.3.1/dist/purify.min.js"></script>
+  <script src="../../dist/jsoneditor.js"></script>
+  <link rel="stylesheet" id="theme-link" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css">
+  <link rel="stylesheet" id="iconlib-link" href="https://use.fontawesome.com/releases/v5.6.1/css/all.css">
+</head>
+<body>
+
+<div class="container">
+  <div id='editor-container'></div>
+  <label for="value">Value</label>
+  <textarea id="value" class="form-control value" rows="10"></textarea>
+  <button class="get-value btn btn-primary">Get Value</button>
+  <button class="set-value btn btn-secondary">Set Value</button>
+</div>
+
+<script>
+  const editorContainer = document.querySelector('#editor-container')
+  const value = document.querySelector('#value');
+  const schema = {
+    "type": "object",
+    "title": "Purify",
+    "properties": {
+      "string": {
+        "title": "string (StringEditor)",
+        "type": "string"
+      }
+    }
+  }
+
+  const editor = new JSONEditor(editorContainer, {
+    schema: schema,
+    theme: 'bootstrap4',
+    iconlib: 'fontawesome',
+    disable_properties: true,
+    disable_collapse: true,
+    disable_edit_json: true,
+  })
+
+  const getValueBtn = document.querySelector('.get-value')
+  const setValueBtn = document.querySelector('.set-value')
+
+  editor.on('change', function () {
+    value.value = JSON.stringify(editor.getValue())
+  })
+
+  getValueBtn.addEventListener('click', function () {
+    value.value = JSON.stringify(editor.getValue())
+  })
+
+  setValueBtn.addEventListener('click', function () {
+    try {
+      editor.setValue(JSON.parse(value.value))
+    } catch (e) {
+      editor.setValue({ string: value.value })
+    }
+  })
+</script>
+
+</body>
+</html>
+