This repository has been archived by the owner on Jul 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 249
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
use pyaml to display non-string values in the submissions page.
- Loading branch information
Showing
2 changed files
with
16 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did this to solve an issue a client was having for a long time.
JSON submissions were being stored as JSON and caused an exception at render time (the template renderer for the submissions page expected all values to be strings). Now I'm transforming them into nicely-formatted strings before passing them to the template.
Should we apply the same rationale to email templates?
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you storing things as YAML now?
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Submissions were already being stored as JSON (JSONB, actually) on Postgres. Nothing is changed there.
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My previous comment was confusing. Sorry. The short version is: nothing is changed, except non-string values are now turned into pretty YAML representations before they are rendered in the submissions page templates.
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm. Yaml might not be safe or UGC. Does pyYaml allow execution of arbitrary code? What's to keep someone from sending a special json blob that includes python code, which we then run on our server?
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, that's serious. I didn't know about that. Sorry.
PyYAML has a "safe" mode, which "pyaml" can use. I'll enable that.
e89c30c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eec1115