Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable lambdas or at least prohibit execution of lambdas with parameters #1565

Closed
nknapp opened this issue Sep 28, 2019 · 1 comment
Closed

Disable lambdas or at least prohibit execution of lambdas with parameters #1565

nknapp opened this issue Sep 28, 2019 · 1 comment

Comments

@nknapp
Copy link
Collaborator

nknapp commented Sep 28, 2019
edited
Loading

In the discussion about the recent security issues, we came to the conclusion that Handlebars should not support the execution of lambdas, like mustache does. The functionality could still be there, activated by an option, but the default should be to only ever execute helper functions and never methods of the input object itself.

There three different flavors of doing that:

  1. Disable lambdas completely
  2. Disable lambdas that are defined on the proto of the input object.
  3. Disable passing parameters to lambdas that are defined on the proto.
  4. Disable passing parameters to lambdas.
  5. Disable everything on the proto (this would disable array.length)

I would like to know if anybody is using any of the cases above and what kind of proto-properties you are using in your templates.
@nknapp nknapp mentioned this issue Sep 28, 2019
Open
@nknapp
Copy link
Collaborator Author

nknapp commented Jan 11, 2020

Obsolete since 4.6 as prototype access is now blocked

@nknapp nknapp closed this as completed Jan 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nknapp