Bugfixes:
- backport some (but not all) of the security fixes from 4.x - 156061e
Compatibility notes:
- The properties
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "dangerous properties". If a property by that name is found and not an own-property of its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent Remote-Code-Execution exploits that have been published in npm advisories 1324 and 1316. - The check for dangerous properties has been changed from "propertyIsEnumerable" to "hasOwnProperty", as it is now done in Handlebars 4.6.0 and later.
Security issues resolved:
Security fixes:
- #1532 - Backport security fixes to 3.x branch (@mattolson)
Housekeeping
- disable saucelabs-tests since the tunnel is not working - 95f33b1
- update grunt-saucelabs and aws dependency - 09aaa56
- fix package.json of components/handlebars.js repo - 7cf753b
- Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1
- Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01
Tests:
- test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8
- Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f
Compatibility notes:
Access to class constructors (i.e. ({}).constructor
) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:
class SomeClass {
}
SomeClass.staticProperty = 'static'
var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
Chore:
- prevent tagging 3.x versions as "latest" in npm - df403ed, #1486
- ignore idea config - af919d2
- fix travis build - 9283205
- update components/handlebars package.json on release - 9679fe6
- add active NodeJS versions to travis - d207ad0
Fix:
- No longer escape "=" in HTML content - 6e9dbac, #1489
- gracefully handle read-only "column"-property of the Error class (required in Safari 9+) - 725986d
Compatibility notes:
- Compatibility to 3.0.5 is broken due to reverting to not escaping "=" in HTML, but compatibility to 3.0.3 is restored.
- chore: use node 10.x in travis-build - 4ed0a62
Compatibility notes:
- no breaking changes
- Further relax uglify dependency - 4cd5305
- Update uglify-js to avoid vulnerability - d97c2e6
- Escape = in HTML content - 1c863e3
Compatibility notes:
- No breaking changes
- #998 - Add full support for es6 (@kpdecker)
- #994 - Access Handlebars.Visitor in browser (@tamlyn)
- #990 - Allow passing null/undefined literals subexpressions (@blimmer)
- #989 - Source-map error with requirejs (@SteppeEagle)
- #967 - can't access "this" property (@75lb)
- Use captureStackTrace for error handler - a009a97
- Ignore branches tested without coverage monitoring - 37a664b
- #984 - Adding documentation for passing arguments into partials (@johneke)
- #973 - version 3 is slower than version 2 (@elover)
- #966 - "handlebars --version" does not work with v3.0.0 (@abloomston)
- #964 - default is a reserved word (@grassick)
- #962 - Add dashbars' link on README. (@pismute)
-
#940 - Add missing reserved words so compiler knows to use array syntax: (@mattflaschen)
-
#930 - Add parent tracking and mutation to AST visitors (@kpdecker)
-
#926 - Depthed lookups fail when program duplicator runs (@kpdecker)
-
#918 - Add instructions for 'spec/mustache' to CONTRIBUTING.md, fix a few typos (@oneeman)
-
#910 - Different behavior of {{@last}} when {{#each}} in {{#each}} (@zordius)
-
#907 - Implement named helper variable references (@kpdecker)
-
#903 - Only provide aliases for multiple use calls (@kpdecker)
-
#901 - Still escapes with noEscape enabled on isolated Handlebars environment (@zedknight)
-
#896 - Simplify BlockNode by removing intermediate MustacheNode (@mmun)
-
#892 - Implement parser for else chaining of helpers (@kpdecker)
-
#887 - Handlebars.noConflict() option? (@bradvogel)
-
#886 - Add SafeString to context (or use duck-typing) (@dominicbarnes)
-
#870 - Registering undefined partial throws exception. (@max-b)
-
#858 - Disable new default auto-indent at included partials (@majodev)
-
#856 - jspm compatibility (@MajorBreakfast)
-
Export the default object for handlebars/runtime - 5594416
-
Lookup partials when undefined - 617dd57
Compatibility notes:
- Runtime breaking changes. Must match 3.x runtime and precompiler.
- The AST has been upgraded to a public API.
- There are a number of changes to this, but the format is now documented in docs/compiler-api.md
- The Visitor API has been expanded to support mutation and provide a base implementation
- The
JavaScriptCompiler
APIs have been formalized and documented. As part of the sourcemap handling these should be updated to return arrays for concatenation. JavaScriptCompiler.namespace
has been removed as it was unused.SafeString
is now duck typed ontoHTML
New Features:
- noConflict
- Source Maps
- Block Params
- Strict Mode
- @last and other each changes
- Chained else blocks
- @data methods can now have helper parameters passed to them
- Dynamic partials
- Update jsfiddle to 2.0.0-beta.1 - 0670f65
- Add contrib note regarding handlebarsjs.com docs - 4d17e3c
- Play nice with gemspec version numbers - 64d5481
-
#787 - Remove whitespace surrounding standalone statements (@kpdecker)
-
Changes to 0/undefined handling
-
#773 - Implicit parameters in {{#each}} introduces a peculiarity in helpers calling convention (@Bertrand)
-
#783 - helperMissing and consistency for different expression types (@ErisDS)
-
#795 - Turn the precompile script into a wrapper around a module. (@jwietelmann)
-
#823 - Support inverse sections on the with helper (@dan-manges)
-
#852 - {{foo~}} space control behavior is different from older version (@zordius)
-
#835 - Templates overwritten if file is loaded twice
-
Expose escapeExpression on the root object - 980c38c
-
Remove nested function eval in blockHelperMissing - 6f22ec1
-
Fix compiler program de-duping - 9e3f824
Compatibility notes:
- The default build now outputs a generic UMD wrapper. This should be transparent change but may cause issues in some environments.
- Runtime compatibility breaks in both directions. Ensure that both compiler and client are upgraded to 2.0.0-beta.1 or higher at the same time.
programWithDepth
has been removed an instead an array of context values is passed to fields needing depth lookups.
false
values are now printed to output rather than silently dropped- Lines containing only block statements and whitespace are now removed. This matches the Mustache spec but may cause issues with code that expects whitespace to exist but would not otherwise.
- Partials that are standalone will now indent their rendered content
AST.ProgramNode
's signature has changed.- Numerious methods/features removed from psuedo-API classes
JavaScriptCompiler.register
JavaScriptCompiler.replaceStack
no longer supports non-inline replaceCompiler.disassemble
DECLARE
opcodestrip
opcodelookup
opcode- Content nodes may have their
string
values mutated over time.original
field provides the unmodified value.
- Removed unused
Handlebars.registerHelper
inverse
parameter each
helper requires iterator parameter
- Expose setup wrappers for compiled templates - 3638874
- #797 - Pass full helper ID to helperMissing when options are provided (@tomdale)
- #793 - Ensure isHelper is coerced to a boolean (@mmun)
- Refactor template init logic - 085e5e1
- #756 - fix bug in IE<=8 (no Array::map), closes #751 (@jenseng)
- #749 - properly handle multiple subexpressions in the same hash, fixes #748 (@jenseng)
- #743 - subexpression confusion/problem? (@waynedpj)
- #746 - [CLI] support
handlebars --version
(@apfelbox) - #747 - updated grunt-saucelabs, failing tests revealed (@Jonahss)
- Make JSON a requirement for the compiler. - 058c0fb
- Temporarily kill the AWS publish CI step - 8347ee2
Compatibility notes:
- A JSON polyfill is required to run the compiler under IE8 and below. It's recommended that the precompiler be used in lieu of running the compiler on these legacy environments.
-
#182 - Allow passing hash parameters to partials (@kpdecker)
-
#392 - Access to root context in partials and helpers (@kpdecker)
-
#569 - Unable to lookup array values using @index (@kpdecker)
-
#491 - For nested helpers: get the @ variables of the outer helper from the inner one (@kpdecker)
-
#669 - Ability to unregister a helper (@dbachrach)
-
#634 - It would be great to have the helper name passed to
blockHelperMissing
(@kpdecker) -
#658 - Depthed helpers do not work after an upgrade from 1.0.0 (@xibxor)
-
#671 - Crashes on no-parameter {{#each}} (@stepancheg)
-
#699 - @DATA not compiles to invalid JS in stringParams mode (@kpdecker)
-
#705 - 1.3.0 can not be wrapped in an IIFE (@craigteegarden)
-
#706 - README: Use with helper instead of relying on blockHelperMissing (@scottgonzalez)
-
#700 - Remove redundant conditions (@blakeembrey)
-
#704 - JavaScript Compiler Cleanup (@blakeembrey)
Compatibility notes:
helperMissing
helper no longer has the indexed name argument. Helper name is now available viaoptions.name
.- Precompiler output has changed, which breaks compatibility with prior versions of the runtime and precompiled output.
JavaScriptCompiler.compilerInfo
now returns generic objects rather than javascript source.- AST changes
- INTEGER -> NUMBER
- Additional PartialNode hash parameter
- New RawBlockNode type
- Data frames now have a
_parent
field. This is internal but is enumerable for performance/compatability reasons.
- #690 - Added support for subexpressions (@machty)
- #696 - Fix for reserved keyword "default" (@nateirwin)
- #692 - add line numbers to nodes when parsing (@fivetanley)
- #695 - Pull options out from param setup to allow easier extension (@blakeembrey)
- #694 - Make the environment reusable (@blakeembrey)
- #636 - Print line and column of errors (@sgronblo)
- Use literal for data lookup - c1a93d3
- Add stack handling sanity checks - cd885bf
- Fix stack id "leak" on replaceStack - ddfe457
- Fix incorrect stack pop when replacing literals - f4d337d
- #684 - Allow any number of trailing characters for valid JavaScript variable (@blakeembrey)
- #686 - Falsy AMD module names in version 1.2.0 (@kpdecker)
- #675 - Cannot compile empty template for partial (@erwinw)
- #677 - Triple brace statements fail under IE (@hamzaCM)
- #655 - Loading Handlebars using bower (@niki4810)
- #657 - Fixes issue where cli compiles non handlebars templates (@chrishoage)
- #681 - Adds in-browser testing and Saucelabs CI (@kpdecker)
- #661 - Add @first and @index to #each object iteration (@cgp)
- #650 - Handlebars is MIT-licensed (@thomasboyt)
- #641 - Document ember testing process (@kpdecker)
- #662 - handlebars-source 1.1.2 is missing from RubyGems.
- #656 - Expose COMPILER_REVISION checks as a hook (@machty)
- #668 - Consider publishing handlebars-runtime as a separate module on npm (@dlmanning)
- #679 - Unable to override invokePartial (@mattbrailsford)
- #646 - Fix "\{{" immediately following "{{" (@dmarcotte)
- Allow extend to work with non-prototyped objects - eb53f2e
- Add JavascriptCompiler public API tests - 1a751b2
- Add AST test coverage for more complex paths - ddea5be
- Fix handling of boolean escape in MustacheNode - b4968bb
Compatibility notes:
@index
and@first
are now supported foreach
iteration on objectsHandlebars.VM.checkRevision
andHandlebars.JavaScriptCompiler.prototype.compilerInfo
now available to modify the version checking behavior.- Browserify users may link to the runtime library via
require('handlebars/runtime')
-
#644 - Using precompiled templates (AMD mode) with handlebars.runtime 1.1.1 (@fddima)
-
Add simple binary utility tests - 96a45a4
-
Fix empty string compilation - eea708a
-
#642 - handlebars 1.1.0 are broken with nodejs
-
Fix release notes link - 17ba258
-
#483 - Add first and last @ vars to each helper (@denniskuczynski)
-
#557 -
\\{{foo}}
escaping only works in some situations (@dmarcotte) -
#543 - publish passing master builds to s3 (@fivetanley)
-
#608 - Add
includeZero
flag toif
conditional -
#498 -
Handlebars.compile
fails on empty string although a single blank works fine -
#599 - lambda helpers only receive options if used with arguments
-
#592 - Optimize array and subprogram performance
-
#571 - uglify upgrade breaks compatibility with older versions of node
-
#587 - Partial inside partial breaks?
Compatibility notes:
- The project now includes separate artifacts for AMD, CommonJS, and global objects.
- AMD: Users may load the bundled
handlebars.amd.js
orhandlebars.runtime.amd.js
files or load individual modules directly. AMD users should also note that the handlebars object is exposed via thedefault
field on the imported object. This gist provides some discussion of possible compatibility shims. - CommonJS/Node: Node loading occurs as normal via
require
- Globals: The
handlebars.js
andhandlebars.runtime.js
files should behave in the same manner as the v1.0.12 / 1.0.0 release.
- AMD: Users may load the bundled
- Build artifacts have been removed from the repository. npm, components/handlebars.js, cdnjs, or the builds page should now be used as the source of built artifacts.
- Context-stored helpers are now always passed the
options
hash. Previously no-argument helpers did not have this argument.
- #515 - Add node require extensions support (@jjclark1982)
- #517 - Fix amd precompiler output with directories (@blessenm)
- #433 - Add support for unicode ids
- #469 - Add support for
?
in ids - #534 - Protect from object prototype modifications
- #519 - Fix partials with . name (@jamesgorrie)
- #519 - Allow ID or strings in partial names
- #437 - Require matching brace counts in escaped expressions
- Merge passed partials and helpers with global namespace values
- Add support for complex ids in @data references
- Docs updates
Compatibility notes:
- The parser is now stricter on
{{{
, requiring that the end token be}}}
. Templates that do not follow this convention should add the additional brace value. - Code that relies on global the namespace being muted when custom helpers or partials are passed will need to explicitly pass an
undefined
value for any helpers that should not be available. - The compiler version has changed. Precompiled templates with 1.0.12 or higher must use the 1.0.0 or higher runtime.
- #458 - Fix
./foo
syntax (@jpfiset) - #460 - Allow
:
in unescaped identifers (@jpfiset) - #471 - Create release notes (These!)
- #456 - Allow escaping of
\\
- #211 - Fix exception in
escapeExpression
- #375 - Escape unicode newlines
- #461 - Do not fail when compiling
""
- #302 - Fix sanity check in knownHelpersOnly mode
- #369 - Allow registration of multiple helpers and partial by passing definition object
- Add bower package declaration (@DevinClark)
- Add NuSpec package declaration (@MikeMayer)
- Handle empty context in
with
(@thejohnfreeman) - Support custom template extensions in CLI (@matteoagosti)
- Fix Rhino support (@broady)
- Include contexts in string mode (@leshill)
- Return precompiled scripts when compiling to AMD (@JamesMaroney)
- Docs updates (@iangreenleaf, @gilesbowkett, @utkarsh2012)
- Fix
toString
handling under IE and browserify (@tommydudebreaux) - Add program metadata
- #428 - Fix incorrect rendering of nested programs
- Fix exception message (@tricknotes)
- Added negative number literal support
- Concert library to single IIFE
- Add handlebars-source gemspec (@machty)
- Added
Handlebars.create
API in node module for sandboxed instances (@tommydudebreaux)
- Prevent use of
this
or..
in illogical place (@leshill) - Allow AST passing for
parse
/compile
/precompile
(@machty) - Optimize generated output by inlining statements where possible
- Check compiler version when evaluating templates
- Package browser dist in npm package
When upgrading from the Handlebars 0.9 series, be aware that the signature for passing custom helpers or partials to templates has changed.
Instead of:
template(context, helpers, partials, [data])
Use:
template(context, {helpers: helpers, partials: partials, data: data})