Enterprise Server 9.5.0
This page documents notable changes shipped with Formio-Enterprise 9.5.0
Secure Handling of User-Generated Code
Certain form customizations rely on code supplied by form builders. These include:
Default values/Custom default values
Calculated values
API calls
Hidden fields
Validation
While the Form.io Platform executes all of this within the browser, the code is also evaluated on the Enterprise server. This prevents discontinuities between data on the server and data within the browser, which is essential in blocking invalid submissions and preserving data integrity.
Within the browser, the Form.io Platform leverages the standard browser security model to sandbox user-supplied code. As this is not available on the server side, certain customizations could pose a security hazard by accessing out-of-scope data on the server. To protect against this, Form.io uses alternative means to ensure the safe orchestration of user-supplied code on the Enterprise server. Previously, all such customizations were treated the same and used a single monolithic virtual machine to sandbox them.
What is changing?
Beginning with the release of Form.io Enterprise 9.5.0, the platform selectively evaluates only those customizations requiring additional protection. Only customizations that pose a risk are isolated. These customizations include:
Advanced logic
Advance conditionals
Custom default values
Calculated values
Why is this change being made?
This ad-hoc evaluation reduces the general overhead for forms that make limited use of the affected customizations. This can significantly reduce the execution and evaluation time for forms.
Forms that make significant use of these customizations should not see any additional overhead.
Impact to developers
This change should be transparent to most form builders and form users. There is no change to the way form builders implement these customizations.
Last updated
Was this helpful?