express-hbs - npm Package Compare versions

express-hbs

Package Overview

Dependencies

Maintainers

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 2.4.2 to 2.5.0

example/app-layoutsDir.js

		@@ -22,3 +22,4 @@ // npm install express express-hbs
		layoutsDir: relative('views/layout'),
		defaultLayout: relative('views/layout/default.hbs')
		defaultLayout: relative('views/layout/default.hbs'),
		restrictLayoutsTo: relative('views/layout')
		}));
		@@ -25,0 +26,0 @@ app.set('view engine', 'hbs');

example/app.js

		@@ -23,3 +23,4 @@ 'use strict';
		partialsDir: [relative('views/partials'), relative('views/partials-other')],
		defaultLayout: relative('views/layout/default.hbs')
		defaultLayout: relative('views/layout/default.hbs'),
		restrictLayoutsTo: viewsDir
		}));
		@@ -26,0 +27,0 @@ app.set('view engine', 'hbs');

lib/hbs.js

		@@ -102,2 +102,9 @@ 'use strict';

		if (this.restrictLayoutsTo) {
		if (!layoutFile.startsWith(this.restrictLayoutsTo)) {
		var err = new Error('Cannot read ' + layoutFile + ' it does not reside in ' + this.restrictLayoutsTo);
		return cb(err, null);
		}
		}

		// assume hbs extension
		@@ -258,2 +265,4 @@ if (path.extname(layoutFile) === '') layoutFile += this._options.extname;

		this.restrictLayoutsTo = this._options.restrictLayoutsTo;

		// express passes this through ___express func, gulp pass in an option
		@@ -260,0 +269,0 @@ this.viewsDir = null;

package.json

		{
		"name": "express-hbs",
		"version": "2.4.2",
		"version": "2.5.0",
		"description": "Express handlebars template engine complete with multiple layouts, partials and blocks.",
		@@ -33,3 +33,3 @@ "keywords": [
		"cookie-parser": "1.4.6",
		"eslint": "8.48.0",
		"eslint": "8.54.0",
		"express": "4.18.2",
		@@ -36,0 +36,0 @@ "i18n": "0.15.1",

README.md

		@@ -46,2 +46,3 @@ # express-hbs
		// OPTIONAL settings
		restrictLayoutsTo: "{String} Absolute path to a directory to restrict layout directive reading from",
		blockHelperName: "{String} Override 'block' helper name.",
		@@ -103,5 +104,5 @@ contentHelperName: "{String} Override 'contentFor' helper name.",

		## ⚠️ This creates a potential security vulnerability:
		## ⚠️ This creates a potential security vulnerability if used without a `restrictLayoutsTo`:

		Do not use this option in conjunction with passing user submitted data to res.render e.g. `res.render('index', req.query)`. This allows users to read arbitrary files from your filesystem!
		The `restrictLayoutsTo` option will restrict reading layouts to a particular directory, if you do not pass this option then do not use the `layout` option in conjunction with passing user submitted data to res.render e.g. `res.render('index', req.query)`. This allows users to read arbitrary files from your filesystem!

		@@ -108,0 +109,0 @@ ```js

test/apps/async/index.js

		@@ -68,3 +68,4 @@ 'use strict';
		app.engine('hbs', hbs.express4({
		defaultLayout: path.join(viewsDir, "layout.hbs")
		defaultLayout: path.join(viewsDir, 'layout.hbs'),
		restrictLayoutsTo: viewsDir
		}));
		@@ -71,0 +72,0 @@ app.set('view engine', 'hbs');

test/apps/i18n/index.js

		@@ -34,3 +34,4 @@ /**
		app.engine('hbs', hbs.express3({
		i18n: i18n
		i18n: i18n,
		restrictLayoutsTo: viewsDir
		}));
		@@ -37,0 +38,0 @@ app.set('view engine', 'hbs');

test/customExtension.js

		@@ -14,3 +14,4 @@ 'use strict';
		extname: '.server.view.html',
		partialsDir: dirname + '/partialsDir'
		partialsDir: dirname + '/partialsDir',
		restrictLayoutsTo: dirname
		});
		@@ -17,0 +18,0 @@

test/helperSpecs.js

		@@ -18,3 +18,4 @@ var assert = require('assert');
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -42,3 +43,4 @@ var locals = H.createLocals('express3', dirname);
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -45,0 +47,0 @@ var locals = H.createLocals('express3', dirname);

test/issues.js

		@@ -12,3 +12,5 @@ 'use strict';
		it('should use multiple layouts with caching', function(done) {
		var render = hbs.create().express3({});
		var render = hbs.create().express3({
		restrictLayoutsTo: dirname
		});
		var locals1 = H.createLocals('express3', dirname, { layout: 'layout1', cache: true });
		@@ -34,3 +36,4 @@ var locals2 = H.createLocals('express3', dirname, { layout: 'layout2', cache: true });
		var render = hbs.create().express3({
		partialsDir: [dirname + '/partials']
		partialsDir: [dirname + '/partials'],
		restrictLayoutsTo: dirname
		});
		@@ -48,3 +51,4 @@
		var render = hbs.create().express3({
		partialsDir: [dirname + '/partials']
		partialsDir: [dirname + '/partials'],
		restrictLayoutsTo: dirname
		});
		@@ -64,3 +68,4 @@
		var render = hb.express3({
		partialsDir: [dirname + '/partials']
		partialsDir: [dirname + '/partials'],
		restrictLayoutsTo: dirname
		});
		@@ -89,3 +94,4 @@ hb.handlebars.registerPartial('emptyPartial', '');
		var render = hb.express3({
		partialsDir: [dirname + '/partials']
		partialsDir: [dirname + '/partials'],
		restrictLayoutsTo: dirname
		});
		@@ -118,3 +124,4 @@ // this fails
		var render = hbs.create().express3({
		layoutsDir: dirname + '/views/layouts'
		layoutsDir: dirname + '/views/layouts',
		restrictLayoutsTo: dirname
		});
		@@ -167,3 +174,5 @@
		var dirname = path.join(__dirname, 'issues/21');
		var render = hbs.create().express3();
		var render = hbs.create().express3({
		restrictLayoutsTo: dirname
		});

		@@ -187,3 +196,5 @@ function check(err, html) {
		var hb = hbs.create()
		var render = hb.express3({});
		var render = hb.express3({
		restrictLayoutsTo: dirname
		});
		var locals = H.createLocals('express3', dirname, {});
		@@ -198,3 +209,5 @@ render(dirname + '/error.hbs', locals, function(err, html) {
		var hb = hbs.create()
		var render = hb.express3({});
		var render = hb.express3({
		restrictLayoutsTo: dirname
		});
		var locals = H.createLocals('express3', dirname, {});
		@@ -210,3 +223,4 @@ render(dirname + '/front/error.hbs', locals, function(err, html) {
		var render = hb.express3({
		partialsDir: dirname + '/partials'
		partialsDir: dirname + '/partials',
		restrictLayoutsTo: dirname
		});
		@@ -223,3 +237,4 @@ var locals = H.createLocals('express3', dirname, {});
		var render = hb.express3({
		partialsDir: dirname + '/partials'
		partialsDir: dirname + '/partials',
		restrictLayoutsTo: dirname
		});
		@@ -245,3 +260,5 @@ var locals = H.createLocals('express3', dirname, {});
		});
		var render = hb.express3({});
		var render = hb.express3({
		restrictLayoutsTo: dirname
		});
		var locals = H.createLocals('express3', dirname, {});
		@@ -268,3 +285,4 @@ render(dirname + '/index.hbs', locals, function(err, html) {
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -288,3 +306,4 @@ var locals = H.createLocals('express3', dirname);
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -307,2 +326,3 @@ var locals = H.createLocals('express3', dirname);
		partialsDir: dirname + '/partials',
		restrictLayoutsTo: dirname,
		onCompile: function(eh, source, filename) {
		@@ -347,3 +367,4 @@ var options;
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -378,3 +399,4 @@ var locals = H.createLocals('express3', dirname);
		var render = hb.express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -400,3 +422,4 @@ var locals = H.createLocals('express3', dirname);
		var render = hb.express3({
		partialsDir: dirname
		partialsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -417,3 +440,4 @@
		var render = hbs.create().express3({
		partialsDir: [dirname + '/partials']
		partialsDir: [dirname + '/partials'],
		restrictLayoutsTo: dirname
		});
		@@ -443,3 +467,5 @@
		});
		var render = hb.express3({});
		var render = hb.express3({
		restrictLayoutsTo: dirname
		});
		var locals = H.createLocals('express3', dirname, {});
		@@ -464,3 +490,5 @@ render(dirname + '/index.hbs', locals, function(err, html) {
		var hb = hbs.create()
		var render = hb.express3({});
		var render = hb.express3({
		restrictLayoutsTo: dirname
		});
		var locals = H.createLocals('express3', dirname, { });
		@@ -467,0 +495,0 @@ render(dirname + '/index.hbs', locals, check);

test/layoutSpecs.js

		var request = require('supertest');
		var assert = require('assert');
		var path = require('path');
		var hbs = require('..');
		@@ -68,2 +69,3 @@
		var render = hbs.create().express3({
		restrictLayoutsTo: dirname
		});
		@@ -80,2 +82,3 @@ var locals = createLocals('express3', dirname);
		var render = hbs.create().express3({
		restrictLayoutsTo: dirname
		});
		@@ -90,4 +93,19 @@ var locals = createLocals('express3', dirname, { layout: 'layouts/default' });

		it('should error when using a layout outside of the restrictLayoutsTo', function(done) {
		var render = hbs.create().express3({
		restrictLayoutsTo: path.resolve(path.join(__dirname, '../'))
		});
		var locals = createLocals('express3', dirname, {layout: '/Users/egg/Code/Ghost/ghost/core/package.json'});

		render(dirname + '/aside.hbs', locals, function (err, html) {
		if (!err) {
		return done(new Error('We expect an error when reading'));
		}
		return done();
		});
		});

		it ('should not process template-specified layout when options.layout is falsy', function(done) {
		var render = hbs.create().express3({
		restrictLayoutsTo: dirname
		});
		@@ -94,0 +112,0 @@ var locals = createLocals('express3', dirname, { layout: false });

test/localTemplateOptions.js

		@@ -14,3 +14,5 @@ 'use strict';
		var instance = hbs.create();
		var render = instance.express3({});
		var render = instance.express3({
		restrictLayoutsTo: dirname
		});
		instance.updateTemplateOptions({
		@@ -41,3 +43,5 @@ data: {
		var instance = hbs.create();
		var render = instance.express3({});
		var render = instance.express3({
		restrictLayoutsTo: dirname
		});
		instance.updateTemplateOptions({
		@@ -71,3 +75,5 @@ data: {
		var instance = hbs.create();
		var render = instance.express4({});
		var render = instance.express4({
		restrictLayoutsTo: dirname
		});
		instance.updateTemplateOptions({
		@@ -98,3 +104,5 @@ data: {
		var instance = hbs.create();
		var render = instance.express3({});
		var render = instance.express3({
		restrictLayoutsTo: dirname
		});
		instance.updateTemplateOptions({
		@@ -101,0 +109,0 @@ data: {

test/multiple.js

		@@ -13,3 +13,5 @@ 'use strict';
		app = express();
		app.engine('hbs', hbs.express3());
		app.engine('hbs', hbs.express3({
		restrictLayoutsTo: './test/views/multiple'
		}));
		app.set('view engine', 'hbs');
		@@ -16,0 +18,0 @@ app.get('/test1', function (req, res) {

test/nonExpress.js

		@@ -12,3 +12,4 @@ var assert = require('assert');
		var render = hbs.create().express3({
		viewsDir: dirname
		viewsDir: dirname,
		restrictLayoutsTo: dirname
		});
		@@ -26,3 +27,4 @@ var locals = H.createLocals('express3', dirname);
		viewsDir: dirname,
		layoutsDir: dirname + '/layouts'
		layoutsDir: dirname + '/layouts',
		restrictLayoutsTo: dirname
		});
		@@ -29,0 +31,0 @@ var locals = H.createLocals('express3', dirname, {layout: 'default.hbs'});

test/optionsSpecs.js

		@@ -13,3 +13,3 @@ var assert = require('assert');
		var hb = hbs.create();
		var render = hb.express3({beautify: true});
		var render = hb.express3({beautify: true, restrictLayoutsTo: dirname});
		var locals = H.createLocals('express3', dirname, {});
		@@ -16,0 +16,0 @@

Improved metrics