Releases: lukeed/tempura
Releases Β· lukeed/tempura
v0.4.0
Breaking
-
Security Fix: Ensure
esc
always returns a string: 58a5c36
NOTE: This should only be a breaking change if you usedesc
directly.
Previously, any non-string
input was returned as is. Now, everything is returned as a string.
This change prevents XSS attacks within Array values:let html = '<div>' + tempura.esc(['<img src=x onerror="alert(1)" />']) + '<div>'; // before: '<div><img src=x onerror="alert(1)" /></div>' // after: '<div><img src=x onerror="alert(1)" /></div>'
Full Changelog: v0.3.2...v0.4.0
v0.3.2
v0.3.1
v0.3.0
Features
-
Add new
loose
option to relax the#expect
requirement: 72bcb52, e8f8df8By default, any template variables must be known ahead of time β either through
options.props
or through#expect
declarations. However, when enabled,options.loose
relaxes this constraint.
Chores
- Add
options.loose
docs: 4674f67 - Mention
options.loose
in the#expect
syntax docs: de8e4ae - Fix broken introductory example in
syntax
document: 896188f
v0.2.0
Features
-
Add
tempura/rollup
plugin: 764f8fc
Tempura now ships with its own Rollup plugin! -
Add
tempura/esbuild
plugin: 9a3df0d
Tempura also ships with its ownesbuild
plugin, too!
Patches
- Use
in
operator for custom block existence check: 61b6de0
Allows foroptions.blocks.foo = null
-style placeholders.
Examples
- Add
worker
example directory: 7396509, 175a112
Illustrates how to use the newtempura/rollup
and/ortempura/esbuild
plugins.
This builds an example Cloudflare Worker, but is applicable to any built/bundle application.
Chores
- Add more Custom Blocks documentation: eba06d5
Includes more advanced examples/concepts.