Enterprise Server 9.5.0

Secure Handling of User-Generated Code

Certain form customizations rely on code supplied by form builders. These include:

• Logic/Advanced logic

• Conditionals/Advance conditionals

• Default values/Custom default values

• Calculated values

• API calls

• Hidden fields

• Validation

While the Form.io Platform executes all of this within the browser, the code is also evaluated on the Enterprise server. This prevents discontinuities between data on the server and data within the browser, which is essential in blocking invalid submissions and preserving data integrity.

Within the browser, the Form.io Platform leverages the standard browser security model to sandbox user-supplied code. As this is not available on the server side, certain customizations could pose a security hazard by accessing out-of-scope data on the server. To protect against this, Form.io uses alternative means to ensure the safe orchestration of user-supplied code on the Enterprise server. Previously, all such customizations were treated the same and used a single monolithic virtual machine to sandbox them.

What is changing?

Beginning with the release of Form.io Enterprise 9.5.0, the platform selectively evaluates only those customizations requiring additional protection. Only customizations that pose a risk are isolated. These customizations include:

• Advanced logic

• Advance conditionals

• Custom default values

• Calculated values

Why is this change being made?

This ad-hoc evaluation reduces the general overhead for forms that make limited use of the affected customizations. This can significantly reduce the execution and evaluation time for forms.

Forms that make significant use of these customizations should not see any additional overhead.

Impact to developers

This change should be transparent to most form builders and form users. There is no change to the way form builders implement these customizations.