In the discussion about the recent security issues, we came to the conclusion that Handlebars should not support the execution of lambdas, like mustache does. The functionality could still be there, activated by an option, but the default should be to only ever execute helper functions and never methods of the input object itself.
There three different flavors of doing that:
- Disable lambdas completely
- Disable lambdas that are defined on the proto of the input object.
- Disable passing parameters to lambdas that are defined on the proto.
- Disable passing parameters to lambdas.
- Disable everything on the proto (this would disable
array.length)
I would like to know if anybody is using any of the cases above and what kind of proto-properties you are using in your templates.
In the discussion about the recent security issues, we came to the conclusion that Handlebars should not support the execution of lambdas, like mustache does. The functionality could still be there, activated by an option, but the default should be to only ever execute helper functions and never methods of the input object itself.
There three different flavors of doing that:
array.length)I would like to know if anybody is using any of the cases above and what kind of proto-properties you are using in your templates.