handlebars
Advanced tools
Comparing version 3.0.6 to 3.0.7
@@ -234,3 +234,9 @@ define(['exports', './utils', './exception'], function (exports, _utils, _exception) { | ||
instance.registerHelper('lookup', function (obj, field) { | ||
return obj && obj[field]; | ||
if (!obj) { | ||
return obj; | ||
} | ||
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { | ||
return undefined; | ||
} | ||
return obj[field]; | ||
}); | ||
@@ -237,0 +243,0 @@ } |
@@ -20,2 +20,5 @@ define(['exports', 'module', '../base', '../exception', '../utils', './code-gen'], function (exports, module, _base, _exception, _utils, _codeGen) { | ||
nameLookup: function nameLookup(parent, name /* , type*/) { | ||
if (name === 'constructor') { | ||
return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')']; | ||
} | ||
if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) { | ||
@@ -22,0 +25,0 @@ return [parent, '.', name]; |
@@ -241,3 +241,9 @@ 'use strict'; | ||
instance.registerHelper('lookup', function (obj, field) { | ||
return obj && obj[field]; | ||
if (!obj) { | ||
return obj; | ||
} | ||
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { | ||
return undefined; | ||
} | ||
return obj[field]; | ||
}); | ||
@@ -244,0 +250,0 @@ } |
@@ -29,2 +29,5 @@ 'use strict'; | ||
nameLookup: function nameLookup(parent, name /* , type*/) { | ||
if (name === 'constructor') { | ||
return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')']; | ||
} | ||
if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) { | ||
@@ -31,0 +34,0 @@ return [parent, '.', name]; |
/*! | ||
handlebars v3.0.6 | ||
handlebars v3.0.7 | ||
@@ -433,3 +433,9 @@ Copyright (C) 2011-2014 by Yehuda Katz | ||
instance.registerHelper('lookup', function (obj, field) { | ||
return obj && obj[field]; | ||
if (!obj) { | ||
return obj; | ||
} | ||
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { | ||
return undefined; | ||
} | ||
return obj[field]; | ||
}); | ||
@@ -436,0 +442,0 @@ } |
/*! | ||
handlebars v3.0.6 | ||
handlebars v3.0.7 | ||
@@ -63,3 +63,3 @@ Copyright (C) 2011-2014 by Yehuda Katz | ||
// behavior of isEmpty. Effectively this determines if 0 is handled by the positive path or negative. | ||
return m(a)&&(a=a.call(this)),!c.hash.includeZero&&!a||b.isEmpty(a)?c.inverse(this):c.fn(this)}),a.registerHelper("unless",function(b,c){return a.helpers["if"].call(this,b,{fn:c.inverse,inverse:c.fn,hash:c.hash})}),a.registerHelper("with",function(a,c){m(a)&&(a=a.call(this));var d=c.fn;if(b.isEmpty(a))return c.inverse(this);if(c.data&&c.ids){var e=g(c.data);e.contextPath=b.appendContextPath(c.data.contextPath,c.ids[0]),c={data:e}}return d(a,c)}),a.registerHelper("log",function(b,c){var d=c.data&&null!=c.data.level?parseInt(c.data.level,10):1;a.log(d,b)}),a.registerHelper("lookup",function(a,b){return a&&a[b]})}function g(a){var c=b.extend({},a);return c._parent=a,c}a.__esModule=!0,a.HandlebarsEnvironment=e,a.createFrame=g;var h=d(c),i="3.0.1";a.VERSION=i;var j=6;a.COMPILER_REVISION=j;var k={1:"<= 1.0.rc.2",// 1.0.rc.2 is actually rev2 but doesn't report it | ||
return m(a)&&(a=a.call(this)),!c.hash.includeZero&&!a||b.isEmpty(a)?c.inverse(this):c.fn(this)}),a.registerHelper("unless",function(b,c){return a.helpers["if"].call(this,b,{fn:c.inverse,inverse:c.fn,hash:c.hash})}),a.registerHelper("with",function(a,c){m(a)&&(a=a.call(this));var d=c.fn;if(b.isEmpty(a))return c.inverse(this);if(c.data&&c.ids){var e=g(c.data);e.contextPath=b.appendContextPath(c.data.contextPath,c.ids[0]),c={data:e}}return d(a,c)}),a.registerHelper("log",function(b,c){var d=c.data&&null!=c.data.level?parseInt(c.data.level,10):1;a.log(d,b)}),a.registerHelper("lookup",function(a,b){if(!a)return a;if("constructor"!==b||a.propertyIsEnumerable(b))return a[b]})}function g(a){var c=b.extend({},a);return c._parent=a,c}a.__esModule=!0,a.HandlebarsEnvironment=e,a.createFrame=g;var h=d(c),i="3.0.1";a.VERSION=i;var j=6;a.COMPILER_REVISION=j;var k={1:"<= 1.0.rc.2",// 1.0.rc.2 is actually rev2 but doesn't report it | ||
2:"== 1.0.0-rc.3",3:"== 1.0.0-rc.4",4:"== 1.x.x",5:"== 2.0.0-alpha.x",6:">= 2.0.0-beta.1"};a.REVISION_CHANGES=k;var l=b.isArray,m=b.isFunction,n=b.toString,o="[object Object]";e.prototype={constructor:e,logger:p,log:q,registerHelper:function(a,c){if(n.call(a)===o){if(c)throw new h["default"]("Arg not supported with multiple helpers");b.extend(this.helpers,a)}else this.helpers[a]=c},unregisterHelper:function(a){delete this.helpers[a]},registerPartial:function(a,c){if(n.call(a)===o)b.extend(this.partials,a);else{if("undefined"==typeof c)throw new h["default"]("Attempting to register a partial as undefined");this.partials[a]=c}},unregisterPartial:function(a){delete this.partials[a]}};var p={methodMap:{0:"debug",1:"info",2:"warn",3:"error"}, | ||
@@ -66,0 +66,0 @@ // State enum |
/*! | ||
handlebars v3.0.6 | ||
handlebars v3.0.7 | ||
@@ -429,3 +429,9 @@ Copyright (C) 2011-2014 by Yehuda Katz | ||
instance.registerHelper('lookup', function (obj, field) { | ||
return obj && obj[field]; | ||
if (!obj) { | ||
return obj; | ||
} | ||
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { | ||
return undefined; | ||
} | ||
return obj[field]; | ||
}); | ||
@@ -432,0 +438,0 @@ } |
/*! | ||
handlebars v3.0.6 | ||
handlebars v3.0.7 | ||
@@ -89,3 +89,3 @@ Copyright (C) 2011-2014 by Yehuda Katz | ||
// behavior of isEmpty. Effectively this determines if 0 is handled by the positive path or negative. | ||
return q(a)&&(a=a.call(this)),!b.hash.includeZero&&!a||j.isEmpty(a)?b.inverse(this):b.fn(this)}),a.registerHelper("unless",function(b,c){return a.helpers["if"].call(this,b,{fn:c.inverse,inverse:c.fn,hash:c.hash})}),a.registerHelper("with",function(a,b){q(a)&&(a=a.call(this));var c=b.fn;if(j.isEmpty(a))return b.inverse(this);if(b.data&&b.ids){var d=f(b.data);d.contextPath=j.appendContextPath(b.data.contextPath,b.ids[0]),b={data:d}}return c(a,b)}),a.registerHelper("log",function(b,c){var d=c.data&&null!=c.data.level?parseInt(c.data.level,10):1;a.log(d,b)}),a.registerHelper("lookup",function(a,b){return a&&a[b]})}function f(a){var b=j.extend({},a);return b._parent=a,b}var g=c(1)["default"],h=c(2)["default"];b.__esModule=!0,b.HandlebarsEnvironment=d,b.createFrame=f;var i=c(4),j=g(i),k=c(5),l=h(k),m="3.0.1";b.VERSION=m;var n=6;b.COMPILER_REVISION=n;var o={1:"<= 1.0.rc.2",// 1.0.rc.2 is actually rev2 but doesn't report it | ||
return q(a)&&(a=a.call(this)),!b.hash.includeZero&&!a||j.isEmpty(a)?b.inverse(this):b.fn(this)}),a.registerHelper("unless",function(b,c){return a.helpers["if"].call(this,b,{fn:c.inverse,inverse:c.fn,hash:c.hash})}),a.registerHelper("with",function(a,b){q(a)&&(a=a.call(this));var c=b.fn;if(j.isEmpty(a))return b.inverse(this);if(b.data&&b.ids){var d=f(b.data);d.contextPath=j.appendContextPath(b.data.contextPath,b.ids[0]),b={data:d}}return c(a,b)}),a.registerHelper("log",function(b,c){var d=c.data&&null!=c.data.level?parseInt(c.data.level,10):1;a.log(d,b)}),a.registerHelper("lookup",function(a,b){if(!a)return a;if("constructor"!==b||a.propertyIsEnumerable(b))return a[b]})}function f(a){var b=j.extend({},a);return b._parent=a,b}var g=c(1)["default"],h=c(2)["default"];b.__esModule=!0,b.HandlebarsEnvironment=d,b.createFrame=f;var i=c(4),j=g(i),k=c(5),l=h(k),m="3.0.1";b.VERSION=m;var n=6;b.COMPILER_REVISION=n;var o={1:"<= 1.0.rc.2",// 1.0.rc.2 is actually rev2 but doesn't report it | ||
2:"== 1.0.0-rc.3",3:"== 1.0.0-rc.4",4:"== 1.x.x",5:"== 2.0.0-alpha.x",6:">= 2.0.0-beta.1"};b.REVISION_CHANGES=o;var p=j.isArray,q=j.isFunction,r=j.toString,s="[object Object]";d.prototype={constructor:d,logger:t,log:u,registerHelper:function(a,b){if(r.call(a)===s){if(b)throw new l["default"]("Arg not supported with multiple helpers");j.extend(this.helpers,a)}else this.helpers[a]=b},unregisterHelper:function(a){delete this.helpers[a]},registerPartial:function(a,b){if(r.call(a)===s)j.extend(this.partials,a);else{if("undefined"==typeof b)throw new l["default"]("Attempting to register a partial as undefined");this.partials[a]=b}},unregisterPartial:function(a){delete this.partials[a]}};var t={methodMap:{0:"debug",1:"info",2:"warn",3:"error"}, | ||
@@ -92,0 +92,0 @@ // State enum |
@@ -215,3 +215,9 @@ import * as Utils from './utils'; | ||
instance.registerHelper('lookup', function(obj, field) { | ||
return obj && obj[field]; | ||
if (!obj) { | ||
return obj; | ||
} | ||
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { | ||
return undefined; | ||
} | ||
return obj[field]; | ||
}); | ||
@@ -218,0 +224,0 @@ } |
@@ -16,2 +16,5 @@ import { COMPILER_REVISION, REVISION_CHANGES } from '../base'; | ||
nameLookup: function(parent, name /* , type*/) { | ||
if (name === 'constructor') { | ||
return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')']; | ||
} | ||
if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) { | ||
@@ -18,0 +21,0 @@ return [parent, '.', name]; |
{ | ||
"name": "handlebars", | ||
"barename": "handlebars", | ||
"version": "3.0.6", | ||
"version": "3.0.7", | ||
"description": "Handlebars provides the power necessary to let you build semantic templates effectively with no frustration", | ||
@@ -35,3 +35,3 @@ "homepage": "http://www.handlebarsjs.com/", | ||
"async": "^0.9.0", | ||
"aws-sdk": "~1.5.0", | ||
"aws-sdk": "^2.1.49", | ||
"babel-loader": "^5.0.0", | ||
@@ -53,3 +53,3 @@ "babel-runtime": "^5.1.10", | ||
"grunt-eslint": "^11.0.0", | ||
"grunt-saucelabs": "8.x", | ||
"grunt-saucelabs": "9.x", | ||
"grunt-webpack": "^1.0.8", | ||
@@ -56,0 +56,0 @@ "istanbul": "^0.3.0", |
@@ -5,4 +5,47 @@ # Release Notes | ||
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.6...master) | ||
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.7...master) | ||
## v3.0.7 - June 30th, 2019 | ||
Security fixes: | ||
- [#1532](https://github.com/wycats/handlebars.js/pull/1532) - Backport security fixes to 3.x branch ([@mattolson](https://api.github.com/users/mattolson)) | ||
Housekeeping | ||
- disable saucelabs-tests since the tunnel is not working - 95f33b1 | ||
- update grunt-saucelabs and aws dependency - 09aaa56 | ||
- fix package.json of components/handlebars.js repo - 7cf753b | ||
- Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1 | ||
- Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01 | ||
Tests: | ||
- test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8 | ||
- Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f | ||
Compatibility notes: | ||
Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent | ||
Remote Code Execution. This means that following construct will no work anymore: | ||
``` | ||
class SomeClass { | ||
} | ||
SomeClass.staticProperty = 'static' | ||
var template = Handlebars.compile('{{constructor.staticProperty}}'); | ||
document.getElementById('output').innerHTML = template(new SomeClass()); | ||
// expected: 'static', but now this is empty. | ||
``` | ||
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). | ||
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.6...v3.0.7) | ||
## v3.0.6 - January 2nd, 2019 | ||
@@ -9,0 +52,0 @@ Chore: |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1084760
84
20687
440