Harden against prototype pollution.

[sayrer]

This makes it more difficult for RCEs in other libraries to overwrite the prototype chain to manipulate Hogan, but also prevents authors from manipulating the prototype chain on purpose. I think the latter is rare enough that this change is worth it.

This first patch just fixes node.indent. See #274.

[sayrer]

Well, I typoed this, but it does fix the pollution. Will fix.

[ex1st]

Hi @sayrer, What do you think about that solution?

var context = Object.create(null, { 
  code: {
    value: "",
    writable: true,
    enumerable: true,
    configurable: true
  }, 
  subs: {
    value: Object.create(null),
    writable: true,
    enumerable: true,
    configurable: true
  }, 
  partials: {
    value: Object.create(null),
    writable: true,
    enumerable: true,
    configurable: true
  }
});

[sayrer]

Hi @sayrer, What do you think about that solution?

It doesn't quite work, but that is another way.

Welcome to Node.js v17.2.0.
Type ".help" for more information.
> var context = Object.create(null, { 
...   code: {
.....     value: "",
.....     writable: true,
.....     enumerable: true,
.....     configurable: true
.....   }}); 
undefined
> context
[Object: null prototype] { code: '' }
> context.__proto__
undefined
> context.code.__proto__
{}
> context.code.__proto__.indent = "foo"
'foo'
> context.code.__proto__.indent
'foo'

[sayrer]

It looks like I'll have to fix the test harness before I check this in, and your way will still break anyone relying on the prototype chain (probably unintentionally). But I'll see which one is cleaner in the end.

[ex1st]

Also, another simple way - predefined empty prefix

var context = { code: '', subs: {}, partials: {}, prefix: '' };