This repository has been archived by the owner on Nov 30, 2023. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>= 1.0.0 < 2.0.0
->>= 4.6.0 < 5.0.0
1.3.0
->4.6.0
By merging this PR, the below vulnerabilities will be automatically resolved:
By merging this PR, the below vulnerabilities will be automatically resolved:
Release Notes
handlebars-lang/handlebars.js (handlebars)
v4.6.0
Compare Source
Features:
d03b6ec
Bugfixes:
23d58e7
Chores, docs:
d7f0dcf
,187d611
,d337f40
c40d9f3
,8901c28
,e97685e
,1f61f21
164b7ff
,1ebce2b
14b621c
,1ec1737
,3a5b65e
,dde108e
,04b1984
,587e7a3
e913dc5
,ac4655e
,dc54952
d1fb07b
edcc84f
BREAKING CHANGES:
access to prototype properties is forbidden completely by default,
specific properties or methods can be allowed via runtime-options.
See #1633 for details.
If you are using Handlebars as documented, you should not be accessing prototype
properties from your template anyway, so the changes should not be a problem
for you. Only the use of undocumented features can break your build.
That is why we only bump the minor version despite mentioning breaking changes.
Commits
v4.5.3
Compare Source
Bugfixes:
f7f05d7
1988878
Chores / Build:
c02b05f
deprecate old assertion-methods -
93e284e
,886ba86
,0817dad
,93516a0
Security:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "properties that must be enumerable".
If a property by that name is found and not enumerable on its parent,
it will silently evaluate to
undefined
. This is done in both the compiled template and the "lookup"-helper.This will prevent new Remote-Code-Execution exploits that have been
published recently.
Compatibility notes:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
in the respect that those expression now returnundefined
rather than their actual value from the proto.increase the patch-version, because the incompatible use-cases
are not intended, undocumented and far less important than fixing
Remote-Code-Execution exploits on existing systems.
Commits
v4.5.2
Compare Source
v4.5.1
Compare Source
Bugfixs
5e9d17f
(#1589)Compatibility notes:
Commits
v4.5.0
Compare Source
Features / Improvements
62ed3c2
feb60f8
Bugfixes:
7fcf9d2
Chore:
7052e88
088e618
Compatibility notes:
Commits
v4.4.5
Compare Source
Bugfixes:
8d5530e
, #1579Commits
v4.4.4
Compare Source
Bugfixes:
f1752fe
Chore:
0b593bf
Compatibility notes:
Commits
v4.4.3
Compare Source
Bugfixes
Typings:
0440af2
Commits
v4.4.2
Compare Source
b7eada0
Commits
v4.4.1
Compare Source
Commits
v4.4.0
Compare Source
cf7545e
Commits
v4.3.5
Compare Source
Commits
v4.3.4
Compare Source
ff4d827
Compatibility notes:
Commits
v4.3.3
Compare Source
8742bde
Commits
v4.3.2
Compare Source
213c0bb
, #1563Compatibility notes:
Commits
v4.3.1
Compare Source
Fixes:
1266838
, #156193444c5
,64ecb9e
, #1560Commits
v4.3.0
Compare Source
Fixes:
2078c72
2078c72
Features:
allowCallsToHelperMissing
to allow callingblockHelperMissing
andhelperMissing
.Breaking changes:
Compatibility notes:
Compiler revision increased -
06b7224
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly -
2078c72
{{blockHelperMissing}}
wasnever intended and was part of the exploits that have been revealed early in 20https://github.com/handlebars-lang/handlebars.js/issues/1495s.js/issues/1495). It is also part of a new exploit that
is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
is now not possible anymore. Overriding those helpers is still possible.
allowCallsToHelperMissing
totrue
and thecalls will again be possible
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
Commits
v4.2.2
Compare Source
Commits
v4.2.1
Compare Source
Bugfixes:
c55a7be
, #1553Compatibility notes:
Commits
v4.2.0
Compare Source
Chore/Test:
grunt-saucelab
with current sauce-connect proxy -f119497
f9cce4d
a57b682
Bugfixes:
knownHelpers
doesnt allow for custom helpers (@NickCis)Features:
Compatibility notes:
shows that it works, but if it doesn't please open an issue.
Commits
v4.1.2
Compare Source
#1540 - added browser to package.json, resolves #1102 (@ouijan)
Compatibility notes:
Commits
v4.1.1
Compare Source
Bugfixes:
5cedd62
Refactorings:
048f2ce
445ae12
Compatibility notes:
Commits
v4.1.0
Compare Source
New Features
27ac1ee
Security fixes:
42841c4
, #1495Housekeeping
bacd473
78dd89c
6b87c21
Compatibility notes:
Access to class constructors (i.e.
({}).constructor
) is now prohibited to preventRemote Code Execution. This means that following construct will no work anymore:
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
Commits
v4.0.14
Compare Source
v4.0.13
Compare Source
v4.0.12
Compare Source
New features:
Various dependency updates
d3d3942
7729aa9
73d5637
)Bugfixes:
source-map
-package should work better withrollup
#1463Removed obsolete code:
0ddff8b
files
field -69c6ca5
8947dd0
Compatibility notes:
Commits
v4.0.11
Compare Source
uglify-js
is unconditionally imported, but only listed as optional dependency (@Turbo87)21386b6
Compatibility notes:
Commits
v4.0.10
Compare Source
0e953d1
Commits
v4.0.9
Compare Source
cc554a5
ed879a6
node handlebars -a ...
on Windows -2e21e2b
bdfdbea
b50ef03
6e6269f
7378f85
Compatibility notes:
Commits
v4.0.8
Compare Source
a00c598
Compatibility notes:
Commits
v4.0.7
Compare Source
c8f4b57
b617375
63a8e0c
5a164d0
01b0f65
406f2ee
a023cb4
c7dc353
Commits
v4.0.6
Compare Source
959ee55
(originallydfc7554
by @kpdecker)8c19874
(originally63fdb92
by @kpdecker)400916c
(originallya6121ca
by @kpdecker)fee2334
(originally871c32a
by @kpdecker)32d6363
(originally326734b
by @kpdecker)20c965c
(originally2ea6119
by @kpdecker)6c9f98c
(originally8289c0b
by @kpdecker)c393c81
(originally25458fd
by @kpdecker)Commits
v4.0.5
Compare Source
685cf92
7a6c228
0a3b3c2
c21118d
9f59de9
98a6717
Commits
v4.0.4
Compare Source
Commits
v4.0.3
Compare Source
Compatibility notes:
each
iteration withundefined
values has been restored to the 3.0 behaviors. Helper calls with undefined context values will now execute against an arbitrary empty object to avoid executing against global object in non-strict mode.]
can now be included in[]
wrapped identifiers by escaping with\
. Any[]
identifiers that include\
will now have to properly escape these values.Commits
v4.0.2
Compare Source
Commits
v4.0.1
Compare Source
New features:
Various dependency updates
d3d3942
7729aa9
73d5637
)Bugfixes:
source-map
-package should work better withrollup
#1463Removed obsolete code:
0ddff8b
files
field -69c6ca5
8947dd0
Compatibility notes:
Commits
v4.0.0
Compare Source
Compatibility notes:
if
that do not seem to alter the context. Any instances of../
in templates will need to be checked for the correct behavior under 4.0.0. In general templates will either reduce the number of../
instances or leave them as is. See #1028.=
character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e.<div foo={{bar}}>
. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.Commits
v3.0.8
Compare Source
v3.0.7
Compare Source
v3.0.6
Compare Source
v3.0.5
Compare Source
v3.0.4
Compare Source
v3.0.3
Compare Source
Commits
v3.0.2
Compare Source
a009a97
37a664b
Commits
v3.0.1
Compare Source
Commits
v3.0.0
Compare Source
#941 - Add support for dynamic partial names (@kpdecker)
#940 - Add missing reserved words so compiler knows to use array syntax: (@mattflaschen)
#938 - Fix example using #with helper (@diwo)
#930 - Add parent tracking and mutation to AST visitors (@kpdecker)
#926 - Depthed lookups fail when program duplicator runs (@kpdecker)
#918 - Add instructions for 'spec/mustache' to CONTRIBUTING.md, fix a few typos (@oneeman)
#915 - Ast update (@kpdecker)
#910 - Different behavior of {{@last}} when {{#each}} in {{#each}} (@zordius)
#907 - Implement named helper variable references (@kpdecker)
#906 - Add parser support for block params (@mmun)
#903 - Only provide aliases for multiple use calls (@kpdecker)
#902 - Generate Source Maps (@kpdecker)
#901 - Still escapes with noEscape enabled on isolated Handlebars environment (@zedknight)
#896 - Simplify BlockNode by removing intermediate MustacheNode (@mmun)
#892 - Implement parser for else chaining of helpers (@kpdecker)
#889 - Consider extensible parser API (@kpdecker)
#887 - Handlebars.noConflict() option? (@bradvogel)
#886 - Add SafeString to context (or use duck-typing) (@dominicbarnes)
[#870](https