deps: express-hbs@1.0.0 #6745
Merged
deps: express-hbs@1.0.0 #6745
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
refs TryGhost#2459 This includes updating handlebars to v4 as well as other fixes which will introduce breaking changes to the theme API: From express-hbs: - partials must now use the `.hbs` extension, the same as templates From handlebars: - Depthed paths are now conditionally pushed on to the stack. If the helper uses the same context, then a new stack is not created. This leads to behavior that better matches expectations for helpers like if that do not seem to alter the context. Any instances of ../ in templates will need to be checked for the correct behavior under 4.0.0. In general templates will either reduce the number of ../ instances or leave them as is. See TryGhost#1028. - The = character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e. <div foo={{bar}}>. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR includes upgrading to handlebars v4 and is a breaking update to the theme API:
The breaking changes affect very rare use-cases, which should have very minimal impact.
handlebars change:
../now behaves more naturally.The full explanation of this change is here: handlebars-lang/handlebars.js#1028.
Impact: anywhere in theme templates or partials where there is a usage of
../in a nested block must be reviewed. In most cases, it will be instances of multiple../'s e.g.{{../../pagination.total}}that felt unnatural in the first place.Incidences of this causing breakage should be very rare. In most cases, I've seen Ghost themes work around this issue rather than use the unnatural syntax (Casper's tag.hbs is an example of this). In a survey of themes on Ghost(Pro) only one affected blog was located.
handlebars change:
=is now HTML escapedMore explanation here and in the handlebars v4 compatibility notes. This is a fix for a security vulnerability.
Impact: Ghost templates must always use quotes for HTML attributes which come from a handlebars helper. E.g.
<div class="{{page_class}}">. Anywhere where quotes are not used, and the value includes an=, the=will now be HTML escaped. This will cause minor rendering issues, E.g. using<a ... title={{tag.name}}>...where the tag name isfoo = barwould result in HTML like:<a .. title="foo" =="" bar="">.... This is wrong but doesn't stop the page loading or link working.Using quotes for HTML attributes is already considered best practice and
=is not a common character in things like tag names and post titles, where this would most likely be a problem for Ghost. Further still, the escaping will likely cause minor HTML rendering issues. Incidences of this causing problems are expected to be rare.express-hbs change: partials now require the
.hbsextensionPreviously, there was no enforcement around the file extension used for partial files. The extension is now enforced as being the same as that configured in
extname. For Ghost, this means that all partials must use the.hbsextension the same as template files.Impact: anyone with a theme using an extension other than
.hbsfor partials must update their theme or the partial will not be found after upgrading Ghost to 0.8. This fixes #2459.Ghost theme docs have never suggested that this could or should be otherwise, so incidences of this causing issues should be very rare.