handlebars.js v4.5.3 Release Notes
Release Date: 2019-11-18 // over 4 years ago-
๐ Bugfixes:
- ๐ fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
- ๐ fix: add more properties required to be enumerable - 1988878
๐ Chores / Build:
- ๐ fix: use !== 0 instead of != 0 - c02b05f
- โ add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0
๐ Security:
- The properties
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate toundefined
. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently.
Compatibility notes:
- ๐ Due to the security-fixes. The semantics of the templates using
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
in the respect that those expression now returnundefined
rather than their actual value from the proto. - The semantics have not changed in cases where the properties are enumerable, as in:
{ __proto__: 'some string' }
- The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems.