MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update bindings to always ensure they are safely escaped

This commit is contained in:
Andrew Kingston 2021-03-22 12:10:43 +00:00
parent c2e9e3d79f
commit e62a6b92b4
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
packages/builder/src/builderStore/dataBinding.js
View File

@ -156,6 +156,7 @@ const getContextBindings = (asset, componentId) => {
const keys = Object.keys(schema).sort() const keys = Object.keys(schema).sort()
// Create bindable properties for each schema field // Create bindable properties for each schema field
const safeComponentId = makePropSafe(component._id)
keys.forEach(key => { keys.forEach(key => {
const fieldSchema = schema[key] const fieldSchema = schema[key]
@ -167,9 +168,9 @@ const getContextBindings = (asset, componentId) => {
} else if (fieldSchema.type === "attachment") { } else if (fieldSchema.type === "attachment") {
runtimeBoundKey = `${key}_first` runtimeBoundKey = `${key}_first`
} }
runtimeBoundKey = makePropSafe(runtimeBoundKey) const runtimeBinding = `${safeComponentId}.${makePropSafe(
const componentId = makePropSafe(component._id) runtimeBoundKey
const runtimeBinding = `${componentId}.${runtimeBoundKey}` )}`
// Optionally use a prefix with readable bindings // Optionally use a prefix with readable bindings
let readableBinding = component._instanceName let readableBinding = component._instanceName
@ -204,6 +205,7 @@ const getUserBindings = () => {
tableId: TableNames.USERS, tableId: TableNames.USERS,
}) })
const keys = Object.keys(schema).sort() const keys = Object.keys(schema).sort()
const safeUser = makePropSafe("user")
keys.forEach(key => { keys.forEach(key => {
const fieldSchema = schema[key] const fieldSchema = schema[key]
// Replace certain bindings with a new property to help display components // Replace certain bindings with a new property to help display components
@ -216,7 +218,7 @@ const getUserBindings = () => {
bindings.push({ bindings.push({
type: "context", type: "context",
runtimeBinding: `user.${runtimeBoundKey}`, runtimeBinding: `${safeUser}.${makePropSafe(runtimeBoundKey)}`,
readableBinding: `Current User.${key}`, readableBinding: `Current User.${key}`,
// Field schema and provider are required to construct relationship // Field schema and provider are required to construct relationship
// datasource options, based on bindable properties // datasource options, based on bindable properties
@ -240,9 +242,10 @@ const getUrlBindings = asset => {
params.push(part.replace(/:/g, "").replace(/\?/g, "")) params.push(part.replace(/:/g, "").replace(/\?/g, ""))
} }
}) })
const safeURL = makePropSafe("url")
return params.map(param => ({ return params.map(param => ({
type: "context", type: "context",
runtimeBinding: `url.${param}`, runtimeBinding: `${safeURL}.${makePropSafe(param)}`,
readableBinding: `URL.${param}`, readableBinding: `URL.${param}`,
})) }))
} }