From e15338a0bf7ac9edc27ebef42d40c9787fc47798 Mon Sep 17 00:00:00 2001
From: Saeed <sarfaraz.stz.ggane@gmail.com>
Date: Wed, 4 Feb 2026 15:36:22 +0330
Subject: [PATCH] FIX Replacing usage of getJavaClass().getSimpleName() with
 schema..getSimpleName() to bypass Thymleaf's sandbox security

---
 .../external/dbmapping/DbObjectSchema.java    | 250 ++++++++++--------
 .../templates/snapadmin/model/create.html     | 182 +++++++++----
 .../templates/snapadmin/model/list.html       |   4 +-
 .../templates/snapadmin/model/schema.html     | 201 +++++++++-----
 .../templates/snapadmin/model/show.html       | 199 +++++++++-----
 5 files changed, 537 insertions(+), 299 deletions(-)

diff --git a/src/main/java/tech/ailef/snapadmin/external/dbmapping/DbObjectSchema.java b/src/main/java/tech/ailef/snapadmin/external/dbmapping/DbObjectSchema.java
index a61353ec..269a891f 100644
--- a/src/main/java/tech/ailef/snapadmin/external/dbmapping/DbObjectSchema.java
+++ b/src/main/java/tech/ailef/snapadmin/external/dbmapping/DbObjectSchema.java
@@ -5,7 +5,6 @@
 
  */
 
-
 package tech.ailef.snapadmin.external.dbmapping;
 
 import java.lang.reflect.InvocationTargetException;
@@ -53,148 +52,170 @@ public class DbObjectSchema {
 	 */
 	@JsonIgnore
 	private List<DbField> fields = new ArrayList<>();
-	
+
 	/**
 	 * The methods designated as computed columns in the `@Entity` class.
 	 */
 	@JsonIgnore
 	private Map<String, Method> computedColumns = new HashMap<>();
-	
+
 	/**
 	 * A JPA repository to operate on the database
 	 */
 	private CustomJpaRepository jpaRepository;
-	
+
 	private SnapAdmin snapAdmin;
-	
+
 	/**
 	 * The corresponding `@Entity` class that this schema describes
 	 */
 	@JsonIgnore
 	private Class<?> entityClass;
-	
+
 	/**
 	 * The name of this table on the database
 	 */
 	private String tableName;
-	
+
 	private List<MappingError> errors = new ArrayList<>();
-	
+
 	/**
-	 * Initializes this schema for the specific `@Entity` class. 
+	 * Initializes this schema for the specific `@Entity` class.
 	 * Determines the table name from the `@Table` annotation and also
 	 * which methods are `@ComputedColumn`s
-	 * @param klass the `@Entity` class
+	 * 
+	 * @param klass     the `@Entity` class
 	 * @param snapAdmin the SnapAdmin instance
 	 */
 	public DbObjectSchema(Class<?> klass, SnapAdmin snapAdmin) {
 		this.snapAdmin = snapAdmin;
 		this.entityClass = klass;
-		
+
 		Table tableAnnotation = klass.getAnnotation(Table.class);
-		
+
 		String tableName = Utils.camelToSnake(getJavaClass().getSimpleName());
 		if (tableAnnotation != null && tableAnnotation.name() != null
-			&& !tableAnnotation.name().isBlank()) { 
+				&& !tableAnnotation.name().isBlank()) {
 			tableName = tableAnnotation.name();
 		}
 
 		this.tableName = tableName;
-		
+
 		List<Method> methods = Arrays.stream(entityClass.getMethods())
 				.filter(m -> m.getAnnotation(ComputedColumn.class) != null)
 				.collect(Collectors.toList());
 		for (Method m : methods) {
 			if (m.getParameterCount() > 0)
 				throw new SnapAdminException("@ComputedColumn can only be applied on no-args methods");
-			
+
 			String name = m.getAnnotation(ComputedColumn.class).name();
 			if (name.isBlank())
 				name = Utils.camelToSnake(m.getName());
-			
+
 			computedColumns.put(name, m);
 		}
 	}
-	
+
 	public String getBasePackage() {
 		return entityClass.getPackageName();
 	}
-	
+
 	/**
 	 * Returns the SnapAdmin instance
+	 * 
 	 * @return the SnapAdmin instance
 	 */
 	public SnapAdmin getSnapAdmin() {
 		return snapAdmin;
 	}
-	
+
 	/**
 	 * Returns the Java class for the underlying `@Entity` this schema
 	 * corresponds to
-	 * @return  the Java class for the `@Entity` this schema corresponds to
+	 * 
+	 * @return the Java class for the `@Entity` this schema corresponds to
 	 */
 	@JsonIgnore
 	public Class<?> getJavaClass() {
 		return entityClass;
 	}
-	
+
 	/**
 	 * Returns the name of the Java class for the underlying `@Entity` this schema
 	 * corresponds to
-	 * @return  the name of the Java class for the `@Entity` this schema corresponds to
+	 * 
+	 * @return the name of the Java class for the `@Entity` this schema corresponds
+	 *         to
 	 */
 	@JsonIgnore
 	public String getClassName() {
 		return entityClass.getName();
 	}
-	
+
+	/**
+	 * Returns the human readable name of the Java class for the underlying `@Entity` this schema
+	 * corresponds to
+	 * 
+	 * @return the human readable name of the Java class for the `@Entity` this schema corresponds
+	 *         to
+	 */
+	@JsonIgnore
+	public String getSimpleName() {
+		return entityClass.getSimpleName();
+	}
+
 	/**
 	 * Returns an unmodifiable list of all the fields in the schema
+	 * 
 	 * @return an unmodifiable list of all the fields in the schema
 	 */
 	public List<DbField> getFields() {
 		return Collections.unmodifiableList(fields);
 	}
-	
+
 	public List<MappingError> getErrors() {
 		return Collections.unmodifiableList(errors);
 	}
-	
+
 	/**
 	 * Get a field by its Java name, i.e. the name of the instance variable
 	 * in the `@Entity` class
-	 * @param name	name of the instance variable
-	 * @return	the DbField if found, null otherwise
+	 * 
+	 * @param name name of the instance variable
+	 * @return the DbField if found, null otherwise
 	 */
 	public DbField getFieldByJavaName(String name) {
 		return fields.stream().filter(f -> f.getJavaName().equals(name)).findFirst().orElse(null);
 	}
-	
+
 	/**
 	 * Get a field by its database name, i.e. the name of the column corresponding
 	 * to the field
-	 * @param name	name of the column
-	 * @return	the DbField if found, null otherwise
+	 * 
+	 * @param name name of the column
+	 * @return the DbField if found, null otherwise
 	 */
 	public DbField getFieldByName(String name) {
 		return fields.stream().filter(f -> f.getName().equals(name)).findFirst().orElse(null);
 	}
-	
+
 	/**
 	 * Adds a field to this schema. This is used by the SnapAdmin instance
 	 * during initialization and it's not supposed to be called afterwards
-	 * @param f	the DbField to add
+	 * 
+	 * @param f the DbField to add
 	 */
 	public void addField(DbField f) {
 		fields.add(f);
 	}
-	
+
 	public void addError(MappingError error) {
 		errors.add(error);
 	}
-	
+
 	/**
 	 * Returns the underlying CustomJpaRepository
+	 * 
 	 * @return
 	 */
 	public CustomJpaRepository getJpaRepository() {
@@ -203,32 +224,35 @@ public CustomJpaRepository getJpaRepository() {
 
 	/**
 	 * Sets the underlying CustomJpaRepository
+	 * 
 	 * @param jpaRepository
 	 */
 	public void setJpaRepository(CustomJpaRepository jpaRepository) {
 		this.jpaRepository = jpaRepository;
 	}
-	
+
 	/**
-	 * Returns the inferred table name for this schema 
+	 * Returns the inferred table name for this schema
+	 * 
 	 * @return
 	 */
 	public String getTableName() {
 		return tableName;
 	}
-	
+
 	/**
-	 * See {@link DbObjectSchema#getSortedFields()} 
+	 * See {@link DbObjectSchema#getSortedFields()}
+	 * 
 	 * @return
 	 */
 	@JsonIgnore
 	public List<DbField> getSortedFields() {
 		return getSortedFields(true);
 	}
-	
+
 	/**
 	 * Returns a sorted list of physical fields (i.e., fields that correspond to
-	 * a column in the table as opposed to fields that are just present as 
+	 * a column in the table as opposed to fields that are just present as
 	 * instance variables, like relationship fields). Sorted alphabetically
 	 * with priority the primary key, and non nullable fields.
 	 * 
@@ -237,54 +261,55 @@ public List<DbField> getSortedFields() {
 	 * hidden columns are included if they are not nullable.
 	 * 
 	 * @param readOnly whether we only need to read the fields are create/edit
-	 * @return 
+	 * @return
 	 */
 	public List<DbField> getSortedFields(boolean readOnly) {
 		return getFields().stream()
-			.filter(f -> {
-				boolean toMany = f.getPrimitiveField().getAnnotation(OneToMany.class) == null
-					&& f.getPrimitiveField().getAnnotation(ManyToMany.class) == null;
-				
-				OneToOne oneToOne = f.getPrimitiveField().getAnnotation(OneToOne.class);
-				boolean mappedBy = oneToOne != null && !oneToOne.mappedBy().isBlank();
-				
-				boolean hidden = f.getPrimitiveField().getAnnotation(HiddenColumn.class) != null;
-				
-				
-				return toMany && !mappedBy && (!hidden || !readOnly);
-			})
-			.sorted((a, b) -> {
-				if (a.isPrimaryKey() && !b.isPrimaryKey())
-					return -1;
-				if (b.isPrimaryKey() && !a.isPrimaryKey())
-					return 1;
-				
-				if (!a.isNullable() && b.isNullable())
-					return -1;
-				if (a.isNullable() && !b.isNullable())
-					return 1;
-				
-				return a.getName().compareTo(b.getName());
-			}).collect(Collectors.toList());
-	}
-	
+				.filter(f -> {
+					boolean toMany = f.getPrimitiveField().getAnnotation(OneToMany.class) == null
+							&& f.getPrimitiveField().getAnnotation(ManyToMany.class) == null;
+
+					OneToOne oneToOne = f.getPrimitiveField().getAnnotation(OneToOne.class);
+					boolean mappedBy = oneToOne != null && !oneToOne.mappedBy().isBlank();
+
+					boolean hidden = f.getPrimitiveField().getAnnotation(HiddenColumn.class) != null;
+
+					return toMany && !mappedBy && (!hidden || !readOnly);
+				})
+				.sorted((a, b) -> {
+					if (a.isPrimaryKey() && !b.isPrimaryKey())
+						return -1;
+					if (b.isPrimaryKey() && !a.isPrimaryKey())
+						return 1;
+
+					if (!a.isNullable() && b.isNullable())
+						return -1;
+					if (a.isNullable() && !b.isNullable())
+						return 1;
+
+					return a.getName().compareTo(b.getName());
+				}).collect(Collectors.toList());
+	}
+
 	/**
 	 * Returns the list of relationship fields
+	 * 
 	 * @return
 	 */
 	public List<DbField> getRelationshipFields() {
 		List<DbField> res = getFields().stream().filter(f -> {
 			return f.getPrimitiveField().getAnnotation(OneToMany.class) != null
-				|| f.getPrimitiveField().getAnnotation(ManyToMany.class) != null;
+					|| f.getPrimitiveField().getAnnotation(ManyToMany.class) != null;
 		})
-		.filter(f -> snapAdmin.isManagedClass(f.getConnectedType()))
-		.collect(Collectors.toList());
+				.filter(f -> snapAdmin.isManagedClass(f.getConnectedType()))
+				.collect(Collectors.toList());
 		return res;
 	}
-	
+
 	/**
 	 * Returns the list of ManyToMany fields owned by this class (i.e. they
 	 * do not have "mappedBy")
+	 * 
 	 * @return
 	 */
 	public List<DbField> getManyToManyOwnedFields() {
@@ -294,9 +319,10 @@ public List<DbField> getManyToManyOwnedFields() {
 		}).collect(Collectors.toList());
 		return res;
 	}
-	
+
 	/**
 	 * Returns the DbField which serves as the primary key for this schema
+	 * 
 	 * @return
 	 */
 	@JsonIgnore
@@ -305,54 +331,59 @@ public DbField getPrimaryKey() {
 		if (pk.isPresent())
 			return pk.get();
 		else
-			throw new RuntimeException("No primary key defined on " + entityClass.getName() + " (table `" + tableName + "`)");
+			throw new RuntimeException(
+					"No primary key defined on " + entityClass.getName() + " (table `" + tableName + "`)");
 	}
-	
+
 	/**
 	 * Returns the names of the `@ComputedColumn`s in this schema
+	 * 
 	 * @return
 	 */
 	public List<String> getComputedColumnNames() {
 		return computedColumns.keySet().stream().sorted().toList();
 	}
-	
+
 	/**
 	 * Returns the method for the given `@ComputedColumn` name
+	 * 
 	 * @param name the name of the `@ComputedColumn`
 	 * @return the corresponding instance method if found, null otherwise
 	 */
 	public Method getComputedColumn(String name) {
 		return computedColumns.get(name);
 	}
-	
+
 	/**
 	 * Returns the list of fields that are `@Filterable`
-	 * @return 
+	 * 
+	 * @return
 	 */
 	public List<DbField> getFilterableFields() {
-		return getSortedFields().stream().filter(f -> { 
+		return getSortedFields().stream().filter(f -> {
 			return !f.isBinary() && !f.isPrimaryKey() && f.isFilterable();
 		}).toList();
 	}
-	
+
 	public boolean isDeleteEnabled() {
 		return entityClass.getAnnotation(DisableDelete.class) == null;
 	}
-	
+
 	public boolean isEditEnabled() {
 		return entityClass.getAnnotation(DisableEdit.class) == null;
 	}
-	
+
 	public boolean isCreateEnabled() {
 		return entityClass.getAnnotation(DisableCreate.class) == null;
 	}
-	
+
 	public boolean isExportEnabled() {
 		return entityClass.getAnnotation(DisableExport.class) == null;
 	}
-	
+
 	/**
 	 * Returns all the data in this schema, as `DbObject`s
+	 * 
 	 * @return
 	 */
 	public List<DbObject> findAll() {
@@ -364,62 +395,63 @@ public DbObject buildObject(Map<String, String> params, Map<String, MultipartFil
 		try {
 			Object instance = getJavaClass().getConstructor().newInstance();
 			DbObject dbObject = new DbObject(instance, this);
-			
+
 			for (String param : params.keySet()) {
 				// Parameters starting with __ are hidden and not related to the object creation
-				if (param.startsWith("__") 
-					|| param.equals("_csrf")) continue;
-				
+				if (param.startsWith("__")
+						|| param.equals("_csrf"))
+					continue;
+
 				DbField dbField = getFieldByName(param);
-				
+
 				if (dbField == null)
-					throw new SnapAdminNotFoundException("Cannot find field " + param + " in " + getJavaClass().getName());
-				
+					throw new SnapAdminNotFoundException(
+							"Cannot find field " + param + " in " + getJavaClass().getName());
+
 				String javaFieldName = dbField.getJavaName();
 				Method setter = dbObject.findSetter(javaFieldName);
-				
-				if (setter ==  null) {
+
+				if (setter == null) {
 					throw new RuntimeException("Cannot find setter for " + javaFieldName);
 				}
-				
-				Object parsedFieldValue = 
-					getFieldByName(param).getType().parseValue(params.get(param));
+
+				Object parsedFieldValue = getFieldByName(param).getType().parseValue(params.get(param));
 
 				if (parsedFieldValue != null && getFieldByName(param).isSettable()) {
 					setter.invoke(instance, parsedFieldValue);
 				}
-				
+
 				if (parsedFieldValue != null && getFieldByName(param).isToOne()) {
 					dbObject.setRelationship(param, parsedFieldValue);
 				}
 			}
-			
+
 			for (String fileParam : files.keySet()) {
-				if (fileParam.startsWith("__")) continue;
+				if (fileParam.startsWith("__"))
+					continue;
 
 				String javaFieldName = getFieldByName(fileParam).getJavaName();
 				Method setter = dbObject.findSetter(javaFieldName);
-				
-				if (setter ==  null) {
+
+				if (setter == null) {
 					throw new RuntimeException("Cannot find setter for " + fileParam);
 				}
-				
-				Object parsedFieldValue = 
-						getFieldByName(fileParam).getType().parseValue(params.get(fileParam));
-				
+
+				Object parsedFieldValue = getFieldByName(fileParam).getType().parseValue(params.get(fileParam));
+
 				if (parsedFieldValue != null && getFieldByName(fileParam).isSettable()) {
 					setter.invoke(instance, parsedFieldValue);
 				}
 			}
-			
+
 			return dbObject;
 		} catch (InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException
 				| NoSuchMethodException | SecurityException e) {
 			throw new SnapAdminException(e);
 		}
-		
+
 	}
-	
+
 	@Override
 	public String toString() {
 		return "DbObjectSchema [fields=" + fields + ", className=" + entityClass.getName() + "]";
@@ -441,5 +473,5 @@ public boolean equals(Object obj) {
 		DbObjectSchema other = (DbObjectSchema) obj;
 		return Objects.equals(tableName, other.tableName);
 	}
-	
+
 }
diff --git a/src/main/resources/templates/snapadmin/model/create.html b/src/main/resources/templates/snapadmin/model/create.html
index aa09675f..edd585b2 100644
--- a/src/main/resources/templates/snapadmin/model/create.html
+++ b/src/main/resources/templates/snapadmin/model/create.html
@@ -1,54 +1,98 @@
-<!DOCTYPE html>
+<!doctype html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
-	<head th:replace="~{snapadmin/fragments/resources::head}">
-	</head>
+	<head th:replace="~{snapadmin/fragments/resources::head}"> </head>
 	<body>
-	
 		<div class="bg-light main-wrapper">
 			<nav th:replace="~{snapadmin/fragments/resources :: navbar}"></nav>
-		    <div class="d-flex">
-		    	<div th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"></div>
-		    	<div class="main-content bg-lighter">
-		    		<th:block th:replace="~{snapadmin/fragments/resources :: alerts}"></th:block>
+			<div class="d-flex">
+				<div
+					th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"
+				></div>
+				<div class="main-content bg-lighter">
+					<th:block
+						th:replace="~{snapadmin/fragments/resources :: alerts}"
+					></th:block>
 
 					<h1 class="fw-bold mb-4">
-						<i class="align-middle bi bi-database"></i> 
-						<span class="align-middle"><a th:href="|/${snapadmin_baseUrl}|">Entities </a></span>
-						<i class="align-middle bi bi-chevron-double-right"></i> 
-						<a class="align-middle" th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|">
-						 [[ ${schema.getJavaClass().getSimpleName()} ]] </a>
-						<i class="align-middle bi bi-chevron-double-right"></i> 
-						<span class="align-middle" th:text="${create ? 'Create' : 'Edit'}"></span>
+						<i class="align-middle bi bi-database"></i>
+						<span class="align-middle"
+							><a th:href="|/${snapadmin_baseUrl}|"
+								>Entities
+							</a></span
+						>
+						<i class="align-middle bi bi-chevron-double-right"></i>
+						<a
+							class="align-middle"
+							th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"
+						>
+							[[ ${schema.getSimpleName()} ]]
+						</a>
+						<i class="align-middle bi bi-chevron-double-right"></i>
+						<span
+							class="align-middle"
+							th:text="${create ? 'Create' : 'Edit'}"
+						></span>
 						<th:block th:if="${!create}">
-							<i class="align-middle bi bi-chevron-double-right"></i> 
-							<span class="align-middle" th:text="${object.getDisplayName()}"></span>
+							<i
+								class="align-middle bi bi-chevron-double-right"
+							></i>
+							<span
+								class="align-middle"
+								th:text="${object.getDisplayName()}"
+							></span>
 						</th:block>
 					</h1>
-		    		<div class="row mt-4">
-		    			<div class="col">
-		    				<div class="box">
-								<h3 class="fw-bold mb-4" th:text="${create ? schema.getJavaClass().getSimpleName() : object.getDisplayName()}"></h3>
-		        				<form class="form" enctype="multipart/form-data" method="post" th:action="|/${snapadmin_baseUrl}/model/${className}/create|">
-		        					<input type="hidden" name="__snapadmin_create" th:value="${create}">
-									<div th:each="field : ${schema.getSortedFields(false)}" class="mt-2"
+					<div class="row mt-4">
+						<div class="col">
+							<div class="box">
+								<h3
+									class="fw-bold mb-4"
+									th:text="${create ? schema.getSimpleName() : object.getDisplayName()}"
+								></h3>
+								<form
+									class="form"
+									enctype="multipart/form-data"
+									method="post"
+									th:action="|/${snapadmin_baseUrl}/model/${className}/create|"
+								>
+									<input
+										type="hidden"
+										name="__snapadmin_create"
+										th:value="${create}"
+									/>
+									<div
+										th:each="field : ${schema.getSortedFields(false)}"
+										class="mt-2"
 										th:if="${!field.isGeneratedValue() || !create}"
-										th:classAppend="|${validationErrors != null && validationErrors.hasErrors(field.getJavaName()) ? 'invalid' : ''}|">
-										<label th:for="|__id_${field.getName()}|" class="mb-1 fw-bold">
-											<span th:if="${!field.isNullable() && !field.isPrimaryKey()}">
+										th:classAppend="|${validationErrors != null && validationErrors.hasErrors(field.getJavaName()) ? 'invalid' : ''}|"
+									>
+										<label
+											th:for="|__id_${field.getName()}|"
+											class="mb-1 fw-bold"
+										>
+											<span
+												th:if="${!field.isNullable() && !field.isPrimaryKey()}"
+											>
 												*
 											</span>
 											[[ ${field.getName()} ]]
 										</label>
-										
-										<th:block th:if="${field.isForeignKey()}">
-											<div th:replace="~{snapadmin/fragments/forms :: input_autocomplete(field=${field},  value=${
+
+										<th:block
+											th:if="${field.isForeignKey()}"
+										>
+											<div
+												th:replace="~{snapadmin/fragments/forms :: input_autocomplete(field=${field},  value=${
 												create ? (params != null ? params.getOrDefault(field.getName(), '') : '') 
 														 : (object != null && object.traverse(field) != null ? object.traverse(field).getPrimaryKeyValue() : '' )
-											})}">
-											</div>
+											})}"
+											></div>
 										</th:block>
-										<th:block th:unless="${field.isForeignKey()}">
-											<th:block th:replace="~{snapadmin/fragments/inputs :: 
+										<th:block
+											th:unless="${field.isForeignKey()}"
+										>
+											<th:block
+												th:replace="~{snapadmin/fragments/inputs :: 
 												__${field.getFragmentName()}__(
 													field=${field},
 													create=${create},
@@ -56,36 +100,60 @@ <h3 class="fw-bold mb-4" th:text="${create ? schema.getJavaClass().getSimpleName
 													value=${create ? (params != null ? params.getOrDefault(field.getName(), '') : '') 
 														     : (object != null ? object.get(field).getValue() : '' )}
 													)}
-												"></th:block>
-											
+												"
+											></th:block>
 										</th:block>
-										<ul class="text-red mt-2" th:if="${validationErrors != null && validationErrors.hasErrors(field.getJavaName())}">
-											<li th:each="error : ${validationErrors.forField(field.getJavaName())}"
-												th:text="${error.getMessage()}"></li>
+										<ul
+											class="text-red mt-2"
+											th:if="${validationErrors != null && validationErrors.hasErrors(field.getJavaName())}"
+										>
+											<li
+												th:each="error : ${validationErrors.forField(field.getJavaName())}"
+												th:text="${error.getMessage()}"
+											></li>
 										</ul>
-										<div class="separator mt-3 mb-2 separator-light"></div>
+										<div
+											class="separator mt-3 mb-2 separator-light"
+										></div>
 									</div>
-									
-									<div th:each="field : ${schema.getManyToManyOwnedFields()}" class="mt-3">
-										<h2><span th:title="|${field.getType()} relationship|"><i class="bi bi-share"></i> [[ ${field.getJavaName()} ]]</span></h2>
-										<div th:replace="~{snapadmin/fragments/forms :: input_autocomplete_multi(field=${field}, 
-											values=${object != null ? object.traverseMany(field) : null } )}">
-										</div>
+
+									<div
+										th:each="field : ${schema.getManyToManyOwnedFields()}"
+										class="mt-3"
+									>
+										<h2>
+											<span
+												th:title="|${field.getType()} relationship|"
+												><i class="bi bi-share"></i> [[
+												${field.getJavaName()} ]]</span
+											>
+										</h2>
+										<div
+											th:replace="~{snapadmin/fragments/forms :: input_autocomplete_multi(field=${field}, 
+											values=${object != null ? object.traverseMany(field) : null } )}"
+										></div>
 									</div>
 
-									
-									<div class="d-flex mt-4 justify-content-between">
-										<a th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}|" class="ui-btn btn btn-secondary">Cancel</a>
-										<input type="submit" class="ui-btn btn btn-primary" th:value="${object != null ? 'Save' : 'Create'}">
+									<div
+										class="d-flex mt-4 justify-content-between"
+									>
+										<a
+											th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}|"
+											class="ui-btn btn btn-secondary"
+											>Cancel</a
+										>
+										<input
+											type="submit"
+											class="ui-btn btn btn-primary"
+											th:value="${object != null ? 'Save' : 'Create'}"
+										/>
 									</div>
 								</form>
 							</div>
-		    			</div>
-		    		</div>
-		    	</div>
-		    </div>
+						</div>
+					</div>
+				</div>
+			</div>
 		</div>
-	
-		
 	</body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/templates/snapadmin/model/list.html b/src/main/resources/templates/snapadmin/model/list.html
index fd59aed3..57d4e2b4 100644
--- a/src/main/resources/templates/snapadmin/model/list.html
+++ b/src/main/resources/templates/snapadmin/model/list.html
@@ -104,7 +104,7 @@ <h5 class="fw-bold mt-3">Export format</h3>
 					<h1 class="fw-bold mb-4"><i class="align-middle bi bi-database"></i>
 						<span class="align-middle"><a th:href="|/${snapadmin_baseUrl}|">Entities</a></span> 
 						<i class="align-middle bi bi-chevron-double-right"></i> 
-						<span class="align-middle"> [[ ${schema.getJavaClass().getSimpleName()} ]] </span>
+						<span class="align-middle"> [[ ${schema.getSimpleName()} ]] </span>
 					</h1>
 		    		<div class="row mt-4">
 		    			<div th:class="${schema.getFilterableFields().isEmpty() ? 'col' : 'col-9'}">
@@ -147,7 +147,7 @@ <h1 class="fw-bold mb-4"><i class="align-middle bi bi-database"></i>
 		    					
 		    					
 									<h3 class="fw-bold mb-4 align-baseline flex-grow-1">
-										<span title="Java class name"> [[ ${schema.getJavaClass().getSimpleName()} ]] </span>
+										<span title="Java class name"> [[ ${schema.getSimpleName()} ]] </span>
 										<span title="Database table name" class="ms-3 label label-primary label-gray font-monospace">
 											[[ ${schema.getTableName()} ]]
 										</span>
diff --git a/src/main/resources/templates/snapadmin/model/schema.html b/src/main/resources/templates/snapadmin/model/schema.html
index 71ab655d..2a33f163 100644
--- a/src/main/resources/templates/snapadmin/model/schema.html
+++ b/src/main/resources/templates/snapadmin/model/schema.html
@@ -1,63 +1,105 @@
-<!DOCTYPE html>
+<!doctype html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
-	<head th:replace="~{snapadmin/fragments/resources::head}">
-	</head>
+	<head th:replace="~{snapadmin/fragments/resources::head}"> </head>
 	<body>
-	
 		<div class="bg-light main-wrapper">
 			<nav th:replace="~{snapadmin/fragments/resources :: navbar}"></nav>
-		    <div class="d-flex">
-		    	<div th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"></div>
-		    	<div class="main-content bg-lighter">
-					<h1 class="fw-bold mb-4"><i class="bi bi-database"></i> 
-						<a class="align-middle" th:href="|/${snapadmin_baseUrl}|">Entities</a> 
+			<div class="d-flex">
+				<div
+					th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"
+				></div>
+				<div class="main-content bg-lighter">
+					<h1 class="fw-bold mb-4">
+						<i class="bi bi-database"></i>
+						<a
+							class="align-middle"
+							th:href="|/${snapadmin_baseUrl}|"
+							>Entities</a
+						>
 						<i class="align-middle bi bi-chevron-double-right"></i>
-						<a class="align-middle" th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"> [[ ${schema.getJavaClass().getSimpleName()} ]]</a>
-						<i class="align-middle bi bi-chevron-double-right"></i><span class="align-middle"> Schema</span>
+						<a
+							class="align-middle"
+							th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"
+						>
+							[[ ${schema.getSimpleName()} ]]</a
+						>
+						<i class="align-middle bi bi-chevron-double-right"></i
+						><span class="align-middle"> Schema</span>
 					</h1>
-		    		<div class="row mt-4">
-		    			<div class="col">
-		    				<div class="w-100 d-flex inner-navigation">
-	    						<a th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|">
-		    						<div class="ui-tab ps-5 pe-5 p-3">
-		    							<i class="bi bi-database pe-2"></i> DATA
-		    						</div>
-		    					</a>
-		    					<a th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}/schema|" class="active">
-		    						<div class="ui-tab ps-5 pe-5 p-3">
-		    							<i class="bi bi-table pe-2"></i> SCHEMA
-		    						</div>
-		    					</a>
-		    					<div class="inner-navigation-border flex-grow-1">
-		    					</div>
-	    					</div>
-		    				<div class="box with-navigation">
-		    					<div class="d-flex justify-content-between">
+					<div class="row mt-4">
+						<div class="col">
+							<div class="w-100 d-flex inner-navigation">
+								<a
+									th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"
+								>
+									<div class="ui-tab ps-5 pe-5 p-3">
+										<i class="bi bi-database pe-2"></i> DATA
+									</div>
+								</a>
+								<a
+									th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}/schema|"
+									class="active"
+								>
+									<div class="ui-tab ps-5 pe-5 p-3">
+										<i class="bi bi-table pe-2"></i> SCHEMA
+									</div>
+								</a>
+								<div
+									class="inner-navigation-border flex-grow-1"
+								></div>
+							</div>
+							<div class="box with-navigation">
+								<div class="d-flex justify-content-between">
 									<h3 class="fw-bold align-baseline">
-										<span title="Java class name"> [[ ${schema.getJavaClass().getSimpleName()} ]] </span>
-										<span title="Database table name" class="ms-3 label label-primary label-gray font-monospace">
+										<span title="Java class name">
+											[[ ${schema.getSimpleName()} ]]
+										</span>
+										<span
+											title="Database table name"
+											class="ms-3 label label-primary label-gray font-monospace"
+										>
 											[[ ${schema.getTableName()} ]]
 										</span>
 									</h3>
-									<h3 class="create-button"><a  th:title="|${!schema.isCreateEnabled() ? 'CREATE disabled for this type' : 'Create new item'}|"  
-										th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/create|"
-										th:class="|${!schema.isCreateEnabled() ? 'disable' : ''}|"><i class="bi bi-plus-square"></i></a></h3>
+									<h3 class="create-button">
+										<a
+											th:title="|${!schema.isCreateEnabled() ? 'CREATE disabled for this type' : 'Create new item'}|"
+											th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/create|"
+											th:class="|${!schema.isCreateEnabled() ? 'disable' : ''}|"
+											><i class="bi bi-plus-square"></i
+										></a>
+									</h3>
 								</div>
 								<div class="mb-4 operations-badges">
-									<span class="align-middle noselect badge"
-										th:classAppend="|${schema.isCreateEnabled() ? 'bg-enabled' : 'bg-disabled'}|">
-										<i class="bi" 
-											th:classAppend="|${schema.isCreateEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"></i> Create
+									<span
+										class="align-middle noselect badge"
+										th:classAppend="|${schema.isCreateEnabled() ? 'bg-enabled' : 'bg-disabled'}|"
+									>
+										<i
+											class="bi"
+											th:classAppend="|${schema.isCreateEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"
+										></i>
+										Create
 									</span>
-									<span class="align-middle noselect badge"
-										th:classAppend="|${schema.isEditEnabled() ? 'bg-enabled' : 'bg-disabled'}|">
-										<i class="bi"
-											th:classAppend="|${schema.isEditEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"></i> Edit
+									<span
+										class="align-middle noselect badge"
+										th:classAppend="|${schema.isEditEnabled() ? 'bg-enabled' : 'bg-disabled'}|"
+									>
+										<i
+											class="bi"
+											th:classAppend="|${schema.isEditEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"
+										></i>
+										Edit
 									</span>
-									<span class="align-middle noselect badge"
-										th:classAppend="|${schema.isDeleteEnabled() ? 'bg-enabled' : 'bg-disabled'}|">
-										<i class="bi"
-											th:classAppend="|${schema.isDeleteEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"></i> Delete
+									<span
+										class="align-middle noselect badge"
+										th:classAppend="|${schema.isDeleteEnabled() ? 'bg-enabled' : 'bg-disabled'}|"
+									>
+										<i
+											class="bi"
+											th:classAppend="|${schema.isDeleteEnabled() ? 'bi-check-circle-fill' : 'bi-x-circle-fill'}|"
+										></i>
+										Delete
 									</span>
 								</div>
 								<table class="table table-striped align-middle">
@@ -67,37 +109,62 @@ <h3 class="create-button"><a  th:title="|${!schema.isCreateEnabled() ? 'CREATE d
 										<th>Type</th>
 										<th>Nullable</th>
 									</tr>
-									<tr th:each="field : ${schema.getSortedFields()}" class="table-data-row">
+									<tr
+										th:each="field : ${schema.getSortedFields()}"
+										class="table-data-row"
+									>
 										<td>
-											<span th:if="${field.isPrimaryKey()}">
-												<i title="Primary Key" class="bi bi-key"></i>
+											<span
+												th:if="${field.isPrimaryKey()}"
+											>
+												<i
+													title="Primary Key"
+													class="bi bi-key"
+												></i>
 											</span>
-											<span th:if="${field.isForeignKey()}">
-												<i title="Foreign Key" class="bi bi-link"></i>
+											<span
+												th:if="${field.isForeignKey()}"
+											>
+												<i
+													title="Foreign Key"
+													class="bi bi-link"
+												></i>
 											</span>
 										</td>
 										<td>
-											<span class="m-0 p-0" th:text="${field.getName()}"></span>
-										</td>
-										<td th:text="${field.getType()}">
+											<span
+												class="m-0 p-0"
+												th:text="${field.getName()}"
+											></span>
 										</td>
-										<td th:text="${field.isNullable()}"></td>
+										<td th:text="${field.getType()}"></td>
+										<td
+											th:text="${field.isNullable()}"
+										></td>
 									</tr>
 								</table>
-								<div th:if="${!schema.getErrors().isEmpty()}"  class="separator mb-2 mt-2"></div>
-								<h3 th:if="${!schema.getErrors().isEmpty()}" 
-									class="fw-bold mt-3 mb-3"><i class="bi bi-exclamation-triangle"></i> Errors</h3>
+								<div
+									th:if="${!schema.getErrors().isEmpty()}"
+									class="separator mb-2 mt-2"
+								></div>
+								<h3
+									th:if="${!schema.getErrors().isEmpty()}"
+									class="fw-bold mt-3 mb-3"
+								>
+									<i class="bi bi-exclamation-triangle"></i>
+									Errors
+								</h3>
 								<ul class="mapping-errors">
-									<li th:each="error : ${schema.getErrors()}" th:text="${error.getMessage()}">
-									</li>
+									<li
+										th:each="error : ${schema.getErrors()}"
+										th:text="${error.getMessage()}"
+									></li>
 								</ul>
 							</div>
-		    			</div>
-		    		</div>
-		    	</div>
-		    </div>
+						</div>
+					</div>
+				</div>
+			</div>
 		</div>
-	
-		
 	</body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/templates/snapadmin/model/show.html b/src/main/resources/templates/snapadmin/model/show.html
index 42dc3800..caff0221 100644
--- a/src/main/resources/templates/snapadmin/model/show.html
+++ b/src/main/resources/templates/snapadmin/model/show.html
@@ -1,106 +1,177 @@
-<!DOCTYPE html>
+<!doctype html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
-	<head th:replace="~{snapadmin/fragments/resources::head}">
-	</head>
+	<head th:replace="~{snapadmin/fragments/resources::head}"> </head>
 	<body>
-	
 		<div class="bg-light main-wrapper">
 			<nav th:replace="~{snapadmin/fragments/resources :: navbar}"></nav>
-		    <div class="d-flex">
-		    	<div th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"></div>
-		    	<div class="main-content bg-lighter">
-					<h1 class="fw-bold mb-4"><i class="align-middle bi bi-database"></i> 
-						<a class="align-middle" th:href="|/${snapadmin_baseUrl}|">Entities</a> 
+			<div class="d-flex">
+				<div
+					th:replace="~{snapadmin/fragments/resources :: sidebar('entities')}"
+				></div>
+				<div class="main-content bg-lighter">
+					<h1 class="fw-bold mb-4">
+						<i class="align-middle bi bi-database"></i>
+						<a
+							class="align-middle"
+							th:href="|/${snapadmin_baseUrl}|"
+							>Entities</a
+						>
 						<i class="align-middle bi bi-chevron-double-right"></i>
-						<a class="align-middle" th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"> 
-						[[ ${schema.getJavaClass().getSimpleName()} ]]</a>
+						<a
+							class="align-middle"
+							th:href="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}|"
+						>
+							[[ ${schema.getSimpleName()} ]]</a
+						>
 						<i class="align-middle bi bi-chevron-double-right"></i>
-						<span class="align-middle"> [[ ${object.getDisplayName()} ]]</span>
+						<span class="align-middle">
+							[[ ${object.getDisplayName()} ]]</span
+						>
 					</h1>
-		    		<div class="row mt-4">
-		    			<div class="col">
-		    				<div class="box">
-		    					<div class="d-flex justify-content-between">
-		    						<h3 class="mb-3 fw-bold" th:text="${object.getDisplayName()}"></h3>
-									<h3><a
-										th:class="|${!schema.isEditEnabled() ? 'disable' : ''} me-2|" 
-										th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/edit/${object.getPrimaryKeyValue()}|">
-										<i class="bi bi-pencil"></i></a>
-										
-										<form class="delete-form me-2" method="POST" 
-											th:action="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}/delete/${object.getPrimaryKeyValue()}|">
-											<button th:class="|${!schema.isDeleteEnabled() ? 'disable' : ''}|"><i class="bi bi-trash"></i></button>
+					<div class="row mt-4">
+						<div class="col">
+							<div class="box">
+								<div class="d-flex justify-content-between">
+									<h3
+										class="mb-3 fw-bold"
+										th:text="${object.getDisplayName()}"
+									></h3>
+									<h3>
+										<a
+											th:class="|${!schema.isEditEnabled() ? 'disable' : ''} me-2|"
+											th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/edit/${object.getPrimaryKeyValue()}|"
+										>
+											<i class="bi bi-pencil"></i
+										></a>
+
+										<form
+											class="delete-form me-2"
+											method="POST"
+											th:action="|/${snapadmin_baseUrl}/model/${schema.getJavaClass().getName()}/delete/${object.getPrimaryKeyValue()}|"
+										>
+											<button
+												th:class="|${!schema.isDeleteEnabled() ? 'disable' : ''}|"
+											>
+												<i class="bi bi-trash"></i>
+											</button>
 										</form>
-										
-										<a th:title="|${!schema.isCreateEnabled() ? 'CREATE disabled for this type' : 'Create new item'}|" 
+
+										<a
+											th:title="|${!schema.isCreateEnabled() ? 'CREATE disabled for this type' : 'Create new item'}|"
 											th:class="|${!schema.isCreateEnabled() ? 'disable' : ''}|"
-											th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/create|"><i class="bi bi-plus-square"></i></a>
+											th:href="|/${snapadmin_baseUrl}/model/${schema.getClassName()}/create|"
+											><i class="bi bi-plus-square"></i
+										></a>
 									</h3>
 								</div>
-								
-								
-								<table class="table table-striped align-middle show-table">
+
+								<table
+									class="table table-striped align-middle show-table"
+								>
 									<tr class="table-data-row">
 										<th style="width: 32px"></th>
 										<th>Column</th>
 										<th>Value</th>
 										<th>Type</th>
 									</tr>
-									<tr th:each="field : ${schema.getSortedFields()}" class="table-data-row">
+									<tr
+										th:each="field : ${schema.getSortedFields()}"
+										class="table-data-row"
+									>
 										<td>
-											<span th:if="${field.isPrimaryKey()}">
-												<i title="Primary Key" class="bi bi-key"></i>
+											<span
+												th:if="${field.isPrimaryKey()}"
+											>
+												<i
+													title="Primary Key"
+													class="bi bi-key"
+												></i>
 											</span>
-											<span th:if="${field.isForeignKey()}">
-												<i title="Foreign Key" class="bi bi-link"></i>
+											<span
+												th:if="${field.isForeignKey()}"
+											>
+												<i
+													title="Foreign Key"
+													class="bi bi-link"
+												></i>
 											</span>
 										</td>
 										<td class="fw-bold">
-											<span class="m-0 p-0" th:text="${field.getName()}"></span>
+											<span
+												class="m-0 p-0"
+												th:text="${field.getName()}"
+											></span>
 										</td>
 										<td>
-											<th:block th:if="${!object.has(field)}">
-												<span class="font-monospace null-label">NULL</span>
+											<th:block
+												th:if="${!object.has(field)}"
+											>
+												<span
+													class="font-monospace null-label"
+													>NULL</span
+												>
 											</th:block>
-											<th:block th:if="${object.has(field)}">
-												<th:block th:replace="~{snapadmin/fragments/data_row :: data_row_field(field=${field}, object=${object})}"></th:block>
+											<th:block
+												th:if="${object.has(field)}"
+											>
+												<th:block
+													th:replace="~{snapadmin/fragments/data_row :: data_row_field(field=${field}, object=${object})}"
+												></th:block>
 											</th:block>
 										</td>
-										<td class="dbfieldtype" th:text="${field.getType()}">
-										</td>
+										<td
+											class="dbfieldtype"
+											th:text="${field.getType()}"
+										></td>
 									</tr>
-									<tr class="table-data-row" th:each="colName : ${schema.getComputedColumnNames()}">
+									<tr
+										class="table-data-row"
+										th:each="colName : ${schema.getComputedColumnNames()}"
+									>
 										<td>
 											<i class="bi bi-cpu"></i>
 										</td>
-										<td class="fw-bold" th:text="${colName}">
-										</td>
-										<td th:text="${object.compute(colName)}">
-										</td>
+										<td
+											class="fw-bold"
+											th:text="${colName}"
+										></td>
+										<td
+											th:text="${object.compute(colName)}"
+										></td>
 										<td>
-											<span class="dbfieldtype">COMPUTED</span>
+											<span class="dbfieldtype"
+												>COMPUTED</span
+											>
 										</td>
 									</tr>
 								</table>
-								
-								<div th:each="field : ${schema.getRelationshipFields()}">
+
+								<div
+									th:each="field : ${schema.getRelationshipFields()}"
+								>
 									<h2>
-										<span th:title="|${field.getType()} relationship|">
-											<i class="align-middle bi bi-share"></i> 
-											<span class="align-middle">[[ ${field.getJavaName()} ]]</span>
+										<span
+											th:title="|${field.getType()} relationship|"
+										>
+											<i
+												class="align-middle bi bi-share"
+											></i>
+											<span class="align-middle"
+												>[[ ${field.getJavaName()}
+												]]</span
+											>
 										</span>
 									</h2>
-									<div th:replace="~{snapadmin/fragments/table :: table(schema=${field.getConnectedSchema()}, 
-											results=${object.getValues(field)})}">
-									</div>
+									<div
+										th:replace="~{snapadmin/fragments/table :: table(schema=${field.getConnectedSchema()}, 
+											results=${object.getValues(field)})}"
+									></div>
 								</div>
 							</div>
-		    			</div>
-		    		</div>
-		    	</div>
-		    </div>
+						</div>
+					</div>
+				</div>
+			</div>
 		</div>
-	
-		
 	</body>
-</html>
\ No newline at end of file
+</html>