|
395 | 395 | </t> |
396 | 396 | </section> |
397 | 397 |
|
398 | | - <section title="Schema references with $ref"> |
| 398 | + <section title='Schema references with "$ref"'> |
399 | 399 | <t> |
400 | 400 | The "$ref" keyword is used to reference a schema, and provides the ability to |
401 | 401 | validate recursive structures through self-reference. |
|
588 | 588 | </section> |
589 | 589 | </section> |
590 | 590 |
|
| 591 | + <section title='Comments with "$comment"'> |
| 592 | + <t> |
| 593 | + This keyword is reserved for comments from schema authors to readers or |
| 594 | + maintainers of the schema. |
| 595 | + |
| 596 | + The value of this keyword MUST be a string. Implementations MUST NOT present this |
| 597 | + string to end users. Tools for editing schemas SHOULD support displaying and |
| 598 | + editing this keyword. The value of this keyword MAY be used in debug or error |
| 599 | + output which is intended for developers making use of schemas. |
| 600 | + |
| 601 | + Schema vocabularies SHOULD allow "$comment" within any object containing |
| 602 | + vocabulary keywords. Implementations MAY assume "$comment" is allowed |
| 603 | + unless the vocabulary specifically forbids it. Vocabularies MUST NOT |
| 604 | + specify any effect of "$comment" beyond what is described in this |
| 605 | + specification. |
| 606 | + |
| 607 | + Tools that translate other media types or programming languages |
| 608 | + to and from application/schema+json MAY choose to convert that media type or |
| 609 | + programming language's native comments to or from "$comment" values. |
| 610 | + The behavior of such translation when both native comments and "$comment" |
| 611 | + properties are present is implementation-dependent. |
| 612 | + |
| 613 | + Implementations SHOULD treat "$comment" identically to an unknown extension |
| 614 | + keyword. They MAY strip "$comment" values at any point during processing. |
| 615 | + In particular, this allows for shortening schemas when the size of deployed |
| 616 | + schemas is a concern. |
| 617 | + |
| 618 | + Implementations MUST NOT take any other action based on the presence, absence, |
| 619 | + or contents of "$comment" properties. |
| 620 | + </t> |
| 621 | + </section> |
| 622 | + |
591 | 623 | <section title="Usage for hypermedia"> |
592 | 624 |
|
593 | 625 | <t> |
@@ -738,6 +770,16 @@ User-Agent: product-name/5.4.1 so-cool-json-schema/1.0.2 curl/7.43.0 |
738 | 770 | Individual JSON Schema vocabularies are liable to also have their own security |
739 | 771 | considerations. Consult the respective specifications for more information. |
740 | 772 | </t> |
| 773 | + <t> |
| 774 | + Schema authors should take care with "$comment" contents, as a malicious |
| 775 | + implementation can display them to end-users in violation of a spec, or |
| 776 | + fail to strip them if such behavior is expected. |
| 777 | + </t> |
| 778 | + <t> |
| 779 | + A malicous schema author could place executable code or other dangerous |
| 780 | + material within a "$comment". Implementations MUST NOT parse or otherwise |
| 781 | + take action based on "$comment" contents. |
| 782 | + </t> |
741 | 783 | </section> |
742 | 784 |
|
743 | 785 | <section title="IANA Considerations"> |
|
0 commit comments