"include" broken by v2.5.4 with two-arg invocation

[rpaterson]

The latest release v2.5.4 throws an error when using "include" if "render" was called with two arguments instead of three (context mixed with options).

[rpaterson]

Here's the offending commit: 3a534a9

[RyanZim]

I think this was on purpose, context mixed with options is a bad practice, and highly discouraged.

[rpaterson]

The README says: It is also possible to use ejs.render(dataAndOptions); where you pass everything in a single object. In that case, you'll end up with local variables for all the passed options. However, be aware that your code could break if we add an option with the same name as one of your data object's properties.

It goes on to say that it's not recommended, but I think it's still supported.

[mde]

This is still supported in principle, but securing it may mean in practice we have to remove some specific options. Having said that, this particular case looks fixable. If we find other practical problems with these security fixes, we'll start documenting unsupported options. Thanks for your patience with this.

[mde]

Fixed in https://github.com/mde/ejs/releases/tag/v2.5.5

[rpaterson]

Thanks!