Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update vulnerable handlebars@^3.0.3 to ^4.0.12 #921

Silic0nS0ldier opened this issue Jan 11, 2019 · 2 comments


None yet
2 participants
Copy link

commented Jan 11, 2019

Handlebars ^3.0.3 is affected by (cross-site scripting)

We should update to ^4.0.12 if possible.


This comment has been minimized.

Copy link
Member Author

commented Jan 11, 2019

I can only spy 2 cases where there are potential compatibility issues from v3,

  1. = is now escaped in variables to address a potential exploit.
  2. Depthed path logic has been updated to reflect expected behaviour in some circumstances. (not entirely sure what this is, but it affects what values in the template with resolve to)

Would like to see this addressed in 4.2 if possible. Not a big fan of pushing out updates that depend on vulnerable dependencies if it can be helped.

@Silic0nS0ldier Silic0nS0ldier added this to the 4.3.0 milestone Jan 11, 2019

@lcharette lcharette pinned this issue Apr 1, 2019

@lcharette lcharette unpinned this issue Apr 2, 2019


This comment has been minimized.

Copy link

commented Apr 15, 2019

I was doing a little research on this and found that this vulnerability does not have anything to do with Handlebars at its core, but more so bad developer practices. (Not wrapping html attribute in ' or ").

The issue is that Handlebars documentation claimed to be escaping content in {{ }} but did not have = included in the list of escaped characters. If following the suggestions here this would not be a problem.

Also, I have updated Handlebars and did not find any noticeable issues or that anything was broken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.