The frontend shows custom input fields according to the configuration parameter custom_input_fields. On validation and submission, the data is sent from the browser to the backend as dict named custom, for example:
"custom": {
"custom_classification.type": "infected-system",
"custom_extra.target_groups": [
"Target group:Provider",
"Target group:Government"
],
"custom_classification.identifier": "test",
"custom_feed.code": "oneshot",
"custom_feed.name": "oneshot-csv",
"custom_extra.template_prefix": "",
"custom_source.fqdn": "example.com"
}The backend does not check if these field names sent by the browser are actually allowed in the configuration, a user could add any fields.
As the users are generally trusted and the configuration parameter is more a help to the user than a restriction, this is not critical, but should be addressed at some point.
The frontend shows custom input fields according to the configuration parameter
custom_input_fields. On validation and submission, the data is sent from the browser to the backend as dict namedcustom, for example:The backend does not check if these field names sent by the browser are actually allowed in the configuration, a user could add any fields.
As the users are generally trusted and the configuration parameter is more a help to the user than a restriction, this is not critical, but should be addressed at some point.