From b1d1aa8b71d0e5f5423e692981a14eb991cb9e3a Mon Sep 17 00:00:00 2001 From: aalimovs Date: Sun, 16 Jul 2023 15:04:01 +0100 Subject: [PATCH] Fix #1748 where allowed prototype methods are not called --- lib/handlebars/runtime.js | 3 +++ spec/security.js | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js index 36bf6c94..1aa8638b 100644 --- a/lib/handlebars/runtime.js +++ b/lib/handlebars/runtime.js @@ -136,6 +136,9 @@ export function template(templateSpec, env) { } if (resultIsAllowed(result, container.protoAccessControl, propertyName)) { + if (typeof result === 'function') { + return parent[propertyName](); + } return result; } return undefined; diff --git a/spec/security.js b/spec/security.js index 00eb1318..789ad89c 100644 --- a/spec/security.js +++ b/spec/security.js @@ -289,6 +289,17 @@ describe('security issues', function() { }) .toCompileTo('abc'); }); + + it('should call an allowed proto method', function() { + expectTemplate('{{aString.trim}}') + .withInput({ aString: ' abc ' }) + .withRuntimeOptions({ + allowedProtoMethods: { + trim: true + } + }) + .toCompileTo('abc'); + }); }); describe('control access to prototype non-methods via "allowedProtoProperties" and "allowProtoPropertiesByDefault', function() {