ยซ Changelog History


handlebars.js v4.1.0 Release Notes

Release Date: 2019-02-07 // about 5 years ago

  • ๐Ÿ†• New Features

    • import TypeScript typings - 27ac1ee

    ๐Ÿ”’ Security fixes:

    • disallow access to the constructor in templates to prevent RCE - 42841c4, #1495

    Housekeeping

    • ๐Ÿš€ chore: fix components/handlebars package.json and auto-update on release - bacd473
    • ๐Ÿ— chore: Use node 10 to build handlebars - 78dd89c
    • ๐Ÿš€ chore/doc: Add more release docs - 6b87c21

    Compatibility notes:

    Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore:

    class SomeClass {
}

SomeClass.staticProperty = 'static'

var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.

    This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

    Commits