Update vulnerable handlebars@^3.0.3 to ^4.0.12

[Silic0nS0ldier]

Handlebars ^3.0.3 is affected by https://nodesecurity.io/advisories/61 (cross-site scripting)

We should update to ^4.0.12 if possible.

[Silic0nS0ldier]

I can only spy 2 cases where there are potential compatibility issues from v3,

1. = is now escaped in variables to address a potential exploit.
2. Depthed path logic has been updated to reflect expected behaviour in some circumstances. (not entirely sure what this is, but it affects what values in the template with resolve to)

Would like to see this addressed in 4.2 if possible. Not a big fan of pushing out updates that depend on vulnerable dependencies if it can be helped.

[amosfolz]

I was doing a little research on this and found that this vulnerability does not have anything to do with Handlebars at its core, but more so bad developer practices. (Not wrapping html attribute in ' or ").

The issue is that Handlebars documentation claimed to be escaping content in {{ }} but did not have = included in the list of escaped characters. If following the suggestions here this would not be a problem.

Also, I have updated Handlebars and did not find any noticeable issues or that anything was broken.

[lcharette]

This might be solved in the 3.x branch by Handlebar and their new release from June 30th ?

https://github.com/wycats/handlebars.js/blob/v3.0.7/release-notes.md#v307---june-30th-2019

[lcharette]

Looks like we'll have to update to 4.1.0 : handlebars-lang/handlebars.js@edc6220

[lcharette]

I've did a quick test on my systems and setting the dependencies to 4.1.2 doesn't require any work. All default pages works as intended.

https://github.com/wycats/handlebars.js/blob/v4.1.2/release-notes.md

All "Compatibility notes" are edge cases which we don't use in default pages, which make it probably safe to include in UF 4.3