Skip to content

FOUR-30819 Sanitize screen template config#8803

Open
eiresendez wants to merge 2 commits intodevelopfrom
bugfix/FOUR-30819
Open

FOUR-30819 Sanitize screen template config#8803
eiresendez wants to merge 2 commits intodevelopfrom
bugfix/FOUR-30819

Conversation

@eiresendez
Copy link
Copy Markdown
Contributor

@eiresendez eiresendez commented Apr 28, 2026
edited
Loading

Issue & Reproduction Steps

The default screen template "Single Form - Multi-Step Process" can persist serialized builder metadata in the target screen config. When the screen builder or preview renders that config, mustache.render can receive an object instead of a template string, causing a browser console error and preventing the screen from rendering correctly.

Reproduction:

  1. Log in and go to Designer > Screens.
  2. Create or open a screen.
  3. Apply the default "Single Form - Multi-Step Process" screen template.
  4. Save or reload the screen builder, then open preview/request mode.
  5. Before this fix, the browser console reports Invalid template! Template should be a "string" but "object" was given as the first argument for mustache#render.

The regression test uses the existing template-manifest-with-css-fields-layout.json fixture, which contains serialized inspector metadata matching the failure mode.

Solution

  • Added backend sanitization for screen template config before applied templates are persisted.
  • Removed serialized Vue component objects from inspector[*].type recursively.
  • Normalized renderable string fields when template payloads provide non-renderable array/object values.
  • Normalized empty validation: [] values to null so form elements do not enter validation rendering paths with invalid template data.
  • Kept the change backend-only; no public API, route, or frontend package changes were made.
  • Added a regression test covering POST /template/screen/{id}/apply and nested sanitized config output.

How to Test

Automated:

php ./vendor/bin/phpunit --filter testApplyTemplateSanitizesSerializedInspectorComponents tests/Feature/Templates/Api/ScreenTemplateTest.php

Manual:

  1. Run php artisan processmaker:sync-screen-templates if the default screen templates need to be refreshed locally.
  2. Create or open a screen in Designer.
  3. Apply the default "Single Form - Multi-Step Process" screen template.
  4. Save/reload the screen builder and open preview/request mode.
  5. Confirm the browser console no longer shows the mustache#render invalid template error.

Related Tickets & Packages

ci:deploy

@eiresendez eiresendez marked this pull request as ready for review April 28, 2026 20:42
@Kookster310
Copy link
Copy Markdown
Contributor

Kookster310 commented Apr 28, 2026

QA server K8S was successfully deployed https://ci-9a779e9720.engk8s.processmaker.net

@processmaker-sonarqube
Copy link
Copy Markdown

processmaker-sonarqube Bot commented Apr 29, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@eiresendez eiresendez requested a review from mcraeteisha April 29, 2026 16:07
@Kookster310
Copy link
Copy Markdown
Contributor

Kookster310 commented Apr 29, 2026

QA server K8S was successfully deployed https://ci-9a779e9720.engk8s.processmaker.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcraeteisha mcraeteisha mcraeteisha approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eiresendez @Kookster310 @mcraeteisha