Document expression parser limitations and usage guidelines

Copilot · hotlong · Copilot · commit b2a40caa1e70 · 2026-01-31T12:01:02.000Z
Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/SECURITY_FIX_SUMMARY.md b/SECURITY_FIX_SUMMARY.md
@@ -31,6 +31,14 @@ Implemented a custom expression parser that:
   - Literals: `true`, `false`, `null`, numbers, strings
   - Escape sequences in strings
 
+**Known Limitations** (acceptable for validation use cases):
+- Single comparison operator per expression (no chaining like `a > b > c`)
+- Simple escape sequence handling (doesn't handle escaped backslashes)
+- Field names in bracket notation cannot contain escaped quotes
+- These limitations don't affect typical validation expressions and can be addressed if needed
+
+**Note**: For more complex expression requirements, the implementation can be extended or replaced with a dedicated library like JSONLogic or filtrex.
+
 ### 3. Code Quality Improvements
 - Added escape sequence handling for string literals
 - Separated strict (`===`) and loose (`==`) equality for backward compatibility
diff --git a/packages/core/src/validation/validators/object-validation-engine.ts b/packages/core/src/validation/validators/object-validation-engine.ts
@@ -78,7 +78,7 @@ export interface ValidationExpressionEvaluator {
 }
 
 /**
- * Safe expression evaluator using a simple parser (no dynamic code execution)
+ * Simple expression evaluator using a simple parser (no dynamic code execution)
  * 
  * SECURITY: This implementation parses expressions into an AST and evaluates them
  * without using eval() or new Function(). It supports:
@@ -87,9 +87,16 @@ export interface ValidationExpressionEvaluator {
  * - Property access: record.field, record['field']
  * - Literals: true, false, null, numbers, strings
  * 
+ * LIMITATIONS:
+ * - Single comparison operator per expression (no chaining like a > b > c)
+ * - Simple escape sequence handling (doesn't handle escaped backslashes)
+ * - Field names in bracket notation cannot contain escaped quotes
+ * 
  * For more complex expressions, integrate a dedicated library like:
  * - JSONLogic (jsonlogic.com)
  * - filtrex
+ * 
+ * @see https://github.com/objectstack-ai/objectui/blob/main/SECURITY_FIX_SUMMARY.md
  */
 class SimpleExpressionEvaluator implements ValidationExpressionEvaluator {
   evaluate(expression: string, context: Record<string, any>): any {
