Handlebars.js: Handlebar to html conversion broken in 3.0.5

Created on 20 Dec 2018  ·  5Comments  ·  Source: handlebars-lang/handlebars.js

In the above handlebar file we have replaced the attribute with the following code a long back and it was working as expected,
attrs: "data=#{dataContext.id.toString()} style=width:70px;"

This was perfectly working in the 3.0.3 version and properly interpreted to the following code,

data="5336686" style="width:70px;"

But when we upgraded to 3.0.5 the above code is breaking and giving the following encoded code output,

data=5339575 style=width:70px;

As far as my understanding, all the minor and patch version releases are backward compatible. I would like to know that we should revamp the above code or this could be reverted in the next minor release? This has caused a major production issue for us :( Thanks in advance!

picture rhariraman
👍4

Most helpful comment

We have the exact same issue. In our case we have base64 encoded strings which are otherwise left intact, but any trailing = characters get converted to =.

picture huijar on 21 Dec 2018
👍3

All 5 comments

We have the exact same issue. In our case we have base64 encoded strings which are otherwise left intact, but any trailing = characters get converted to =.

huijar picture huijar on 21 Dec 2018
👍3

+1, exactly same issue here.

jlaari picture jlaari on 21 Dec 2018
👍1

Hi. I'm sorry, if this change causes problems for you. It was introduced via #1083. I have published it in response to #1454, which references an entry in the node security database.

But you are right. The list of escaped characters was documented, so this was a breaking change.
I'm going to revert it, but I will also get the opinions of the people who wished to have the change.

Update: No, I'm not going to revert it right now. Right no, it's half past midnight were I live, so I'm going to go to sleep and think about this.

@rhariraman By the way: You are using the lack of "="-escaping exactly in the way that may cause the vulerability (see https://github.com/wycats/handlebars.js/pull/1083#issuecomment-134733449)

nknapp picture nknapp on 22 Dec 2018

The security fix is reverted in version 3.0.6
Equal signs are no longer escaped.

nknapp picture nknapp on 2 Jan 2019

@nknapp Thanks a lot :)

rhariraman picture rhariraman on 2 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mattkime picture mattkime  ·  4Comments
ricardograca picture ricardograca  ·  4Comments
NickCis picture NickCis  ·  4Comments
rizen picture rizen  ·  6Comments
janus-reith picture janus-reith  ·  3Comments