Mikita Belahlazau

If there was a way to provide custom serialization/deserialization methods for a field in ebean - that would be helpful. But I couldn't find such functionality.

I think we can try using Converter: https://docs.oracle.com/javaee/7/api/javax/persistence/Converter.html https://www.baeldung.com/jpa-attribute-converters

Tried using Coverters - no luck. Ebean uses its ScalarTypeJsonObjectMapper for DbJson fields and my custom Converter ignored.

Ah, just found out that we set ObjectMapper ourselves: https://github.com/civiform/civiform/blob/1fa37bbf7cb5425f7157256778c902a9cbb1675b/server/app/models/EbeanServerConfigStartup.java#L22 Maybe it makes sense to try and make ObjectMapper work well for ApplicantData?

+1 If intention of cancelling all events is to prevent non-safeframe js from intercepting safeframe messages then cancel should happen inside if block as @bmilekic suggested. Cancellation of all events...

Could you elaborate more on intention of the cancellation? Does moving cancellation into "if" block make it less secure? I probably don't understand all consequences of cancelling only safeframe-messages instead...

But why do you cancel non-safeframe messages? Spec doesn't say anything about banning postMessage-based communication inside SafeFrame. I get the point of cancelling messages that were sent by SafeFrame host...

I still don't fully understand why reference implementation restricts postMessagin'g in a way that not mentioned in the specification. Anyway, is there timeline for the rework you mentioned? This bug...

Actually hold on. I think the bug is not fixed. Clutz produces different output depending on goog.module name I just got lucky in the test.

Ready for review.