Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #1748 where allowed prototype methods are not called #1958

Open
wants to merge 1 commit into
base: 4.x
Choose a base branch
from
Open

Fix #1748 where allowed prototype methods are not called #1958

wants to merge 1 commit into from

Conversation

aalimovs
Copy link

Fixes #1748 where allowed prototype methods are not called.

Without this fix the official documentation is incorrect:

const template = handlebars.compile("{{aString.trim}}");
const result = template(
  { aString: "  abc  " },
  {
    allowedProtoMethods: {
      trim: true
    }
  }
);
// result = 'abc'

The result is [object Object], not abc.

This was referenced Jul 16, 2023
Closed
Open
@jaylinski jaylinski self-assigned this Jul 16, 2023
@jaylinski
Copy link
Member

Note: failing test was not caused by this PR and was fixed in #1963. Needs rebase.

@aalimovs aalimovs force-pushed the fix-1748-calling-proto-methods branch 2 times, most recently from fa0420e to b1d1aa8 Compare July 25, 2023 18:19
@aalimovs
Copy link
Author

@jaylinski rebased, but I've no idea why this PR now picks up changes in .github/workflows/ci.yml that are already in 4.x branch. I've tried rebasing the fork few different ways but still the same.

If you want me to recreate the PR let me know.

@jaylinski jaylinski force-pushed the fix-1748-calling-proto-methods branch from b8f7a6d to 5cae846 Compare July 25, 2023 20:59
@jaylinski
Copy link
Member

No problem, I fixed it.

@jaylinski jaylinski added this to the 4.7.9 milestone Aug 1, 2023
jaylinski
jaylinski reviewed Aug 31, 2023
View reviewed changes
lib/handlebars/runtime.js
@@ -136,6 +136,9 @@ export function template(templateSpec, env) {
}

if (resultIsAllowed(result, container.protoAccessControl, propertyName)) {
if (typeof result === 'function') {
return parent[propertyName]();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you use parent[propertyName]() instead of result()? Any specific reason?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't work with result(), complains that:

TypeError: String.prototype.trim called on null or undefined

I'm not 100% sure why, but as I understand result loses this context.

@jaylinski jaylinski requested a review from nknapp August 31, 2023 21:58
@mohd-akram
Copy link
Contributor

This fix isn't right - lookupProperty is only for looking up properties, not calling them. Functions are called at

handlebars.js/lib/handlebars/runtime.js

Lines 146 to 148 in f422bfd

lambda: function (current, context) {
return typeof current === 'function' ? current.call(context) : current;
},

They are called with the Handlebars context, not with the object preceding the dot as in regular JavaScript. Changing this would be a breaking change, and it's not clear for what benefit. You can create a trim helper which achieves the same thing.

@jaylinski
Copy link
Member

I'm still curious why the documentation states that it should work. 🤔

@mohd-akram
Copy link
Contributor

That was added somewhat recently to the documentation with the security fixes. I think it was just a mistake.

@nknapp
Copy link
Collaborator

nknapp commented Sep 6, 2024

I don't know why I added this example to the docs and did not notice that it does not work.
The whole "allowProto..." options were just added to provide a way to get back the old behavior. If it didn't work in pre 4.6 versions (and it doesn't) , I wouldn't fix it.

The Handlebars way to solve the issue is to register a "trim" helper and use "{{trim aString}}" instead.

@jaylinski
Copy link
Member

I'll keep this issue open until we corrected the wrong documentation and close it afterwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaylinski jaylinski jaylinski left review comments

@nknapp nknapp Awaiting requested review from nknapp

Assignees

@jaylinski jaylinski

Labels
docs-needed
Projects
None yet
Milestone
4.7.9
Development

Successfully merging this pull request may close these issues.
4 participants
@aalimovs @jaylinski @mohd-akram @nknapp