Generate Key-Value Pairs using Form Data

This concerns a quality-of-life improvement, but also potentially a security concern.

With large forms, one is tempted to simply use an Object and refer tot the form, as follows:

Form.data

While this is convenient from a DX perspective, it does introduce some potential vulnerabilities in regards to mass assignment. Any value in the form will be considered to be valid and although I haven't tested this out, I assume there is no safeguard or validation in place to check against any unintended values (?)

In any case, one way is mitigate this, is to be very intentional/strict on what columns and values to allow to be inserted in the database. The way to do so is using key-value pairs. But this quickly becomes a pain when you're dealing with countless columns. Making a mistake or missing something is overlooked quite easily.

Therefore I would advocate in favor of using a "Generate" button to have the form's keys automatically be set. That way, you're confident you're using all of the right columns and not potentially allowing users to add anything either.

This "Generate" button (a lightning bolt, perhaps?) would be included at the end of these buttons:

example

Anyway, I hope you'll take this into consideration.

Thanks :wave:

1 Like

Hey @emozio,

Definitely agree that the "Generate" button would really improve quality of life.

With regards to which values are added to form.data, you just simply need to leave "Form data key" empty within the component that doesn't need to be included in form.data:

But I'm guessing this may not be exactly what you're after in terms of security.