handlebars.js v4.1.0 Release Notes
Release Date: 2019-02-07 // about 5 years ago-
๐ New Features
- import TypeScript typings - 27ac1ee
๐ Security fixes:
- disallow access to the constructor in templates to prevent RCE - 42841c4, #1495
Housekeeping
- ๐ chore: fix components/handlebars package.json and auto-update on release - bacd473
- ๐ chore: Use node 10 to build handlebars - 78dd89c
- ๐ chore/doc: Add more release docs - 6b87c21
Compatibility notes:
Access to class constructors (i.e.
({}).constructor
) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore:class SomeClass { } SomeClass.staticProperty = 'static' var template = Handlebars.compile('{{constructor.staticProperty}}'); document.getElementById('output').innerHTML = template(new SomeClass()); // expected: 'static', but now this is empty.
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).