Version 2.0.0
TL;DR
This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.
With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().
Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.
Practical Implications
- Configuration must be passed to
renderFileexplicitly, rather than merged with thedataparameter - Using Express.js
app.set()to modifyviewsandview cachewill no longer change Eta's configuration ofviewsandcache.- However, since Express still uses its own
viewsandview cacheoptions under the hood, users should configure both Eta and Express with desired values (example below)
- However, since Express still uses its own
- Eta no longer recognizes the legacy Express.js
settings["view options"]property
Example Code Changes
// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2
// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({ views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")