Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: disallow lambdas and functions in input data... #1551

Closed
wants to merge 6 commits into from
Closed

wip: disallow lambdas and functions in input data... #1551

wants to merge 6 commits into from

Conversation

nknapp
Copy link
Collaborator

@nknapp nknapp commented Sep 16, 2019
edited
Loading

...unless explicitly setting "allowUnsafeFunctionCalls"
in the compile options

  • It is NOT backwards-compatible.
  • The old, unsafe, behavior can be configured by setting "allowUnsafeFunctionCalls" to "true" in the compiler options.

@ErisDS @wycats I would like your oppinion on this. If you agree, I will add (and fix) tests and docs. Then I'll release this.

Despite the breaking change, I would only bump the patch version, as @ErisDS suggested lately.

@nknapp nknapp requested review from wycats and ErisDS September 16, 2019 21:48
@nknapp
Copy link
Collaborator Author

nknapp commented Sep 17, 2019

I'm not sure if sandboxing the whole template on execution might be an alternative as well.
This article describes a method that seems to achieve that:https://blog.risingstack.com/writing-a-javascript-framework-sandboxed-code-evaluation/. It needs proxies though. I don't think it will work in IE11

paulfalgout and others added 6 commits September 20, 2019 18:54
@paulfalgout @nknapp
fix: use cjs for browser fields
c55a7be 
We should not be using pre-built files for the `browser`.  Resolves #1553
@nknapp
integration-tests for various webpack-scenarios
e47b5ec 
related to #1553

- registering helpers on an instance retrieved via
  `import`, compiling the template on an instance
   retrieved via `require`
- using `@roundingwellos/babel-plugin-handlebars-inline-precompile` to load plugins inline
@Maikuolan @nknapp
Fix some small typos.
00b4f2f
@nknapp
Update release notes
35bcd44
@nknapp
v4.2.1
fff3e40
@nknapp
wip: disallow lambdas and functions in input data...
c343711 
...unless explicitly setting "allowUnsafeFunctionCalls"
in the compile options
@nknapp nknapp force-pushed the unsafe-function-calls branch from 81d6825 to c343711 Compare September 21, 2019 08:31
@nknapp
Copy link
Collaborator Author

nknapp commented Sep 21, 2019

I'm not sure if this works out. I'll close this and try again later.

@nknapp nknapp closed this Sep 21, 2019
@nknapp nknapp removed request for wycats and ErisDS September 21, 2019 14:14
@nknapp
Copy link
Collaborator Author

nknapp commented Sep 21, 2019

Could you review #1559 instead

@jaylinski jaylinski deleted the unsafe-function-calls branch December 3, 2021 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nknapp @paulfalgout @Maikuolan