Prevent front matter injection through the body field #4945
Description
Describe the bug
It's currently possible to inject front matter properties within the body field.
This means CMS users can:
- Introduce new front matter properties that were never planned;
- Potentially clash with other reserved properties such as
layoutorslug; - Mistakenly introduce properties with values as
null;
I also tried overriding a property that as filled in above and the field seems to take precedence here, which is great. So at least I hope this prevents validation bypassing?
To Reproduce
- Have CMS collection expecting an optional
statefield along with some other mandatory fields including a body - Create a new record there and leave
statefield empty - In the body field, add
state:in the front matter - Check the generated file with
state: null
Expected behavior
Ignore front matter altogether within the body. That's not what it's meant for.
Applicable Versions:
- Netlify CMS version: 2.14.20
- Git provider: github
- OS: macOS 11.0.1 (20B29)
- Browser version: Brave v1.18.70
- Node.JS version: v12.17.0
CMS configuration
- name: 'docs'
label: 'Docs'
folder: '_pages/docs'
create: true
fields:
- name: 'title'
label: 'Title'
widget: 'string'
- name: 'state'
label: 'State'
widget: 'string'
required: false
- name: 'body'
label: 'Body'
widget: 'markdown'