Handlebar to html conversion broken in 3.0.5 #1489
Comments
|
We have the exact same issue. In our case we have base64 encoded strings which are otherwise left intact, but any trailing |
|
+1, exactly same issue here. |
|
Hi. I'm sorry, if this change causes problems for you. It was introduced via #1083. I have published it in response to #1454, which references an entry in the node security database. But you are right. The list of escaped characters was documented, so this was a breaking change. Update: No, I'm not going to revert it right now. Right no, it's half past midnight were I live, so I'm going to go to sleep and think about this. @rhariraman By the way: You are using the lack of "="-escaping exactly in the way that may cause the vulerability (see #1083 (comment)) |
|
The security fix is reverted in version 3.0.6 |
|
@nknapp Thanks a lot :) |
facing same issue with version '4.2.0'. what is the solution for this plz. |
You could use triple-stash to avoid HTML conversion. Example: {{{text}}} |
<select class={{classes}} {{attrs}}>
{{#options}}
<option id="{{id}}" value={{value}} {{defaultSelected}}> {{label}}
{{/options}}
In the above handlebar file we have replaced the attribute with the following code a long back and it was working as expected,
attrs: "data=#{dataContext.id.toString()} style=width:70px;"
This was perfectly working in the 3.0.3 version and properly interpreted to the following code,
data="5336686" style="width:70px;"
But when we upgraded to 3.0.5 the above code is breaking and giving the following encoded code output,
data=5339575 style=width:70px;As far as my understanding, all the minor and patch version releases are backward compatible. I would like to know that we should revamp the above code or this could be reverted in the next minor release? This has caused a major production issue for us :( Thanks in advance!
The text was updated successfully, but these errors were encountered: