It is recommended NOT to use “format” keyword implementations with untrusted data, as they use potentially unsafe regular expressions - see Re Do S attack.
Please note: if you need to use “format” keyword to validate untrusted data, you MUST assess their suitability and safety for your validation scenarios.
CLI is available as a separate npm package ajv-cli. If you want to create a plugin that implements some of them, it should remove these keywords from the instance.
It may require either migrating your schemas or updating your code (to continue using draft-04 and v5 schemas, draft-06 schemas will be supported without changes).You should add in the keyword or format definition (see add Format, add Keyword and Defining custom keywords).If your schema uses asynchronous formats/keywords or refers to some schema that contains them it should have if you want to return custom errors from the keyword function).In this case Ajv can either fail schema compilation (default) or ignore it (default in versions before 5.0.0).You also can whitelist specific format(s) to be ignored. You can find regular expressions used for format validation and the sources that were used in
Search for validating json:
If your schemas are received from untrusted sources (or generated from untrusted data) there are several scenarios you need to prevent: It is difficult to predict all the scenarios, but at the very least it may help to limit the size of untrusted schemas (e.g.