Access has been denied to resolve the property "img" because it is not an "own property" of its parent.

[xreider]

Hello! I am a new in Node.js

Please, help me to rewrite my code

I have this problem with express-handlebars and mongoose

I tried to solve this problem with this webpage

But I got "Cannot find module '@handlebars/allow-prototype-access'" warning
I am a new to rewrite it now, just help me, please!

index.js file

const express = require("express");
const path = require('path');
const mongoose = require('mongoose');
const exphbs =  require('express-handlebars');
const homeRouts = require('./routes/home');
const cartRoutes = require('./routes/cart');
const addRoutes = require('./routes/add');
const coursesRoutes = require('./routes/courses');

const app = express();
const hbs = exphbs.create({
  defaultLayout: 'main', 
  extname: 'hbs',
});
app.engine('hbs', hbs.engine); 
app.set('view engine', 'hbs');
app.set('views', 'views');

app.use(express.static(path.join(__dirname, 'public')));
app.use(express.urlencoded({extended: true}));
app.use('/', homeRouts);
app.use('/add', addRoutes);
app.use('/courses', coursesRoutes);
app.use('/cart', cartRoutes);

const PORT = process.env.PORT || 3000;

async function start() {
  try {
    const url = `****`;
    await mongoose.connect(url, {useUnifiedTopology: true, useNewUrlParser: true, useCreateIndex: true});
    app.listen(PORT, () => {
      console.log(`Listen to ${PORT}`);
    });
  } catch(e) {
    console.log(e)
  } 
};

start();

package.json file

{
...
  "dependencies": {
    "express": "^4.17.1",
    "express-handlebars": "^3.1.0",
    "handlebars": "^4.7.2",
    "mongoose": "^5.8.11",
    "uuid": "^3.4.0"
  },
  "devDependencies": {
    "nodemon": "^2.0.2"
  }
}

[craj1031tx]

When I try to use the allow-prototype-access extension for handlebars in my express-handlebars application, I get a "Error: Module "handlebars" does not provide a view engine."

var express = require('express')
var Handlebars = require('handlebars')
var expressHandlebars = require('express-handlebars')
var {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')

const app = express()
app.engine('hbs', expressHandlebars({
    //defaultLayout: 'main',
    handlebars: allowInsecurePrototypeAccess(Handlebars)
}));
app.set('view engine', 'handlebars')

[nknapp]

You are using

app.engine('hbs', ...

in one place and

app.set('view engine', 'handlebars')

in the other. Try using either handlebars or hbs, but do not mix

Update: Sorry, no, this is not the problem. I have used this code in the same way. I have to test it.

Update 2: I wasn't that wrong... The solution is to use app.engine('handlebars', ...). You need to do this if you use .handlebars as extension of your views, and not .hbs.

[nknapp]

I'll update the readme of the package.

[xreider]

I'll update the readme of the package.

You mean I need to delete app.set('view engine', 'hbs'); ?
I deleted it, but it doesn't work.
Let's rewrite my code to make it work, please

[nknapp]

@xreider can you show me how you tried to make it work? Your code doesn't contain the @handlebars/allow-prototype-access-package at all. Your error message suggests that you need to run npm install @handlebars/allow-prototype-access before trying your change.

[nknapp]

The rest of your code looks good, as long as your files have the extension .hbs. Try the following:

1. Run

   npm install @handlebars/allow-prototype-access

2. add the following to the beginning of of your file.

   const Handlebars = require('handlebars')
   const {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')

3. change the line

   const hbs = exphbs.create({
     defaultLayout: 'main',  
     extname: 'hbs',
   });

   to

   const hbs = exphbs.create({
     defaultLayout: 'main', 
     extname: 'hbs',
     handlebars: allowInsecurePrototypeAccess(Handlebars)
   });

[xreider]

You helped me a lot! Thank you very much! You made me believe in miracles.

[craj1031tx]

Nils, that fix worked for me, I appreciate the help. I am indeed using .handlebars as my extension type for my templates. Providing 'hbs' as an argument even when using .handelbars as your extension name when using just the express-handlebars was working (and is actually what the express-handlebars documentation states) but I guess when using this updated package the app.set('view engine', ARG2) must be paired with the exact extension name. I appreciate your help on this, thank you.

[BigUhoTape]

Thank for ur advice:)

[Edgar-hub-bit]

You helped me a lot! Thank you very much!

[sindri55]

Thanks a lot nknapp. Tell me, have we then prevent to possible create these security holes?
ref. https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access

[nknapp]

If you allow your users to create templates and execute those templates in your Node.js server, then your users may be able to crash your machine, or possibly inject code (if there is a new way of doing so, the publicly known ways should still be impossible with this setting).

[pankkap]

Its working. Thanks brother

[DilushkumarVasu]

Thank you very much, bro. You are the only person giving me the correct solution

[washedupdino]

@nknapp thank you so much!! been stuck on this for longer than I would like to admit

[Nagham123]

thank you so much !!!!

[renato462]

Thank you so much, I needed help !!!!!!! after 10 hour It was solved. Thank a lot.

[andreolllem]

Show de bola! Valeu!

[Bohda-P]

It helped me so much, you gave useful infirmation. Thank you!!!

[mgorodokin]

You are using

app.engine('hbs', ...

in one place and

app.set('view engine', 'handlebars')

in the other. Try using either handlebars or hbs, but do not mix

Update: Sorry, no, this is not the problem. I have used this code in the same way. I have to test it.

Update 2: I wasn't that wrong... The solution is to use app.engine('handlebars', ...). You need to do this if you use .handlebars as extension of your views, and not .hbs.

Hi, I'm also new to JS and handlebars and having trouble implementing the @handlebars/allow-prototype-access' package. Could you please help? This is my current code, I'm not sure how to implement the allow-prototype-access package into my existing app.engine.

const express = require('express');
const mongoose = require('mongoose');
const path = require('path');
const hbs = require('express-handlebars');
const {mongoDbUrl, PORT} = require('./config/configuration');
const flash = require('connect-flash');
const session = require('express-session');
const {selectOption} = require('./config/customFunctions');
const fileUpload = require('express-fileUpload');
const methodOverride = require('method-override');
const {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access');

const app = express();

/* Configure Mongoose to Connect MongoDB */
mongoose.connect(mongoDbUrl, { useNewUrlParser: true })
    .then(response => {
        console.log("MongoDB Connected Successfully.", { useNewUrlParser: true });
    }) .catch(err => {
        console.log("Database connection failed", err)
    });



/* Configure express*/
app.use(express.json());
app.use(express.urlencoded({extended: true}))
app.use(express.static(path.join(__dirname, 'public')));

/*flash and session*/
app.use(session({
    secret: 'anysecret',
    saveUninitialized: true,
    resave: true
}))

app.use(flash());

app.use(globalVariables);

app.use(fileUpload({
    limits: { fileSize: 50 * 1024 * 1024 },
  }));

/* Setup View Engine To Use Handlebars */
app.engine('handlebars', hbs({defaultLayout: 'default', helpers: {select: selectOption}}));
app.set('view engine', 'handlebars');

[Folexy13]

Thanks @nknapp .... you just saved from a lot of headache

[maximcdq]

thx you, brother! :) 👍🏻

[ejas404]

thankyou it worked