Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem accessing to a property declared with getter #1634

Closed
deather opened this issue Jan 9, 2020 · 8 comments
Closed

Problem accessing to a property declared with getter #1634

deather opened this issue Jan 9, 2020 · 8 comments

Comments

@deather
Copy link

deather commented Jan 9, 2020

Hi,

Since the version 4.6.0, I can't access to a class property in a template. It was working very well before, so I supposed it is a regression.

I create a jsfiddle with the use case.

Thanks for reading and your awesome work.

@matthaywardwebdesign
Copy link

@deather I had similar issues when accessing Mongoose objects from my templates. In the latest release accessing prototype values has been disabled.

See the release notes:
"Access to prototype properties is forbidden completely by default, specific properties or methods can be allow via runtime-options. See #1633 for details."

@deather
Copy link
Author

deather commented Jan 10, 2020

@matthaywardwebdesign thanks for the information. I use handlebars through another dependency, I will warn the maintaner.

Sorry for the false issue and thanks again.

@deather deather closed this as completed Jan 10, 2020
@nknapp
Copy link
Collaborator

nknapp commented Jan 10, 2020

@deather I have just released 4.7.0 with options to re-enable prototype access. Please read the documentation here: https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access

Be careful when using it, as it may open up security leaks that were closed by 4.6.0. I have planned to publish details in due time, when we can sure that insecure versions of Handlebars have been updated.

@nknapp
Copy link
Collaborator

nknapp commented Jan 18, 2020

@matthaywardwebdesign how did you solve the problem with Mongoose and handlebars>4.6 ?

Did you use .toJson or passed the runtime-options?

@deather which dependency are you using?

Please have a look at #1642 and add your comments there so we can collect those problems.

@matthaywardwebdesign
Copy link

@nknapp In this particular case I just called .toJSON before passing it into to the template which did the trick. The change was made to fix some security leaks so didn't want to necessarily open them up, nor whitelist every field!

@justinTM
Copy link

@nknapp Would the changes introduced in 4.6.0 be considered backwards-breaking?

@nknapp
Copy link
Collaborator

nknapp commented Jan 23, 2020

@justinTM it's not an easy yes-no question. The documentation never mentions the cases where 4.6 doesn't work anymore, so technically no. But it since some of the things that worked with 4.5.3 now don't work anymore, you could say yes.
I wouldn't have made those changes in 4.x, if they hadn't been relevant for security issues.

@justinTM
Copy link

Understood, that makes sense; just learned about SEMVER yesterday, still learning :) Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants