Recreate a Fabric.js object from serialized JSON data.
We deliberately do NOT whitelist the top-level type here. Fabric's
enlivenObjects already rejects unknown types internally, and
production whiteboards can contain a long tail of legitimate types
(group composites, sticky notes, custom add-ins) that are easy to
miss in a static allowlist — over-strict validation silently drops
legitimate peer edits, which is a far worse failure mode than the
theoretical attacks a whitelist would prevent (Fabric paints to
canvas only — no DOM injection / script execution surface).
The one real attack we DO defend against here is imagesrc:
Fabric will dutifully fetch any URL a peer ships, leaking presence
to a third-party server. Reject everything except data:image/*.
Recreate a Fabric.js object from serialized JSON data.
We deliberately do NOT whitelist the top-level
typehere. Fabric'senlivenObjectsalready rejects unknown types internally, and production whiteboards can contain a long tail of legitimate types (group composites, sticky notes, custom add-ins) that are easy to miss in a static allowlist — over-strict validation silently drops legitimate peer edits, which is a far worse failure mode than the theoretical attacks a whitelist would prevent (Fabric paints to canvas only — no DOM injection / script execution surface).The one real attack we DO defend against here is
imagesrc: Fabric will dutifully fetch any URL a peer ships, leaking presence to a third-party server. Reject everything exceptdata:image/*.