@handlebars/allow-prototype-access
Advanced tools
Revert a Handlebars-instance ^4.6.0 to the proto-accessing behavior of 4.5.3
Revert a Handlebars-instance ^4.6.0 to the proto-accessing behavior of 4.5.3
This package allows you to create a new Handlebars instance, that behaves like version 4.5.3 and allows access to the prototype
In the past, Handlebars would allow you to access prototype methods and properties of the input object form the template.
start{{aString.trim}}end
with the input
{
aString: ' abc '
}
would result in the output startabcend.
Multiple security issues have come from this behaviour. Details can be found in the npm-security advisories 755, 1164, 1316, 1324 and 1325 and in the blog-article of Mahmoud Gamal.
Those issues have been fixed, but we cannot be sure that there are ways around the fixes. That's why, in handlebars@^4.6.0.
access to the object prototype has been disabled completely.
Now, if you use custom classes as input to Handlebars, your code won't work anymore.
class TestClass {
aMethod() {
return "returnValue";
}
}
const Handlebars = require("handlebars");
const template = Handlebars.compile("start {{aMethod}} end");
const output = template(new TestClass());
console.log(output);
Handlebars: Access has been denied to resolve the property "aMethod" because it is not an "own property" of its parent.
You can add a runtime option to disable the check or this warning:
See https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access for details
start end
This has now led to a number of problems for projects like typedoc, because they are using such classes as input for the template.
This package automatically adds runtime options to each template-calls, disabling the security restrictions.
The question is: Who is writing the templates that Handlebars is executing? Is it only your developers? Is it the user?
The leak published in npm advisory 755 meant that somebody writing a template could effectively execute code inside your server. Although the disclosed exploits have been fixed, new exploits have become much more probable, now that the principle is well-known, so:
If your users are writing templates and you execute them on your server you should NOT use this package, but rather find other ways to solve the problem. I suggest you convert your class-instances to plain JavaScript objects before passing them to the template function. Every property or function you access, must be an "own property" of its parent.
class TestClass {
aMethod() {
return "returnValue";
}
asTemplateInput() {
return {
aMethod: this.aMethod.bind(this)
};
}
}
const Handlebars = require("handlebars");
const template = Handlebars.compile("{{aMethod}}");
const output = template(new TestClass().asTemplateInput());
console.log(output);
npm install @handlebars/allow-prototype-access
The following example demonstrates how to use this module:
class TestClass {
aMethod() {
return "returnValue";
}
}
const Handlebars = require('handlebars')
const {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')
const insecureHandlebars = allowInsecurePrototypeAccess(Handlebars)
const template = insecureHandlebars.compile('{{aMethod}}')
const output = template(new TestClass);
console.log(output)
This will generate the following output
returnValue
The recommended solution for this constellation is not to use this package, but to use the lean()-method on Mongoose-queries. See https://mongoosejs.com/docs/tutorials/lean.html for details. This will ensure, that all properties passed to the template are "own"-properties
express-handlebars does not allow you to specify runtime-options to pass
to the template function. This package can help you disable prototype checks
for you models.
Only do this, if you have full control over the templates that are executed in the server.
const express = require('express');
const Handlebars = require('handlebars')
const expressHandlebars = require('express-handlebars');
const {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')
const app = express();
app.engine('handlebars', expressHandlebars({
handlebars: allowInsecurePrototypeAccess(Handlebars)
}));
app.set('view engine', 'handlebars');
...
@handlebars/allow-prototype-access is published under the MIT-license.
See LICENSE.md for details.
See CONTRIBUTING.md.
FAQs
Revert a Handlebars-instance ^4.6.0 to the proto-accessing behavior of 4.5.3
The npm package @handlebars/allow-prototype-access receives a total of 2,995 weekly downloads. As such, @handlebars/allow-prototype-access popularity was classified as popular.
We found that @handlebars/allow-prototype-access demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security Fundamentals
The Socket Threat Research Team uncovers how threat actors weaponize shell techniques across npm, PyPI, and Go ecosystems to maintain persistence and exfiltrate data.
Security News
At VulnCon 2025, NIST scrapped its NVD consortium plans, admitted it can't keep up with CVEs, and outlined automation efforts amid a mounting backlog.
Product
We redesigned our GitHub PR comments to deliver clear, actionable security insights without adding noise to your workflow.