Skip to content

Commit bba6560

Browse files
nknappnknapp
committed
Update release notes
1 parent 06b7224 commit bba6560

File tree

1 file changed

+37
-1
lines changed

1 file changed

+37
-1
lines changed

release-notes.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,43 @@
22

33
## Development
44

5-
[Commits](https://github.com/wycats/handlebars.js/compare/v4.2.1...master)
5+
[Commits](https://github.com/wycats/handlebars.js/compare/v4.3.0...master)
6+
7+
## v4.3.0 - September 24th, 2019
8+
Fixes:
9+
10+
- Security: Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
11+
- Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
12+
13+
Features:
14+
15+
- Add new runtime option `allowCallsToHelperMissing` to allow calling `blockHelperMissing` and `helperMissing`.
16+
17+
Breaking changes:
18+
19+
Compatibility notes:
20+
- Compiler revision increased - 06b7224
21+
- This means that template compiled with versions prior to 4.3.0 will not work with runtimes >= 4.3.0
22+
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
23+
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
24+
that you always recompile your templates with the latest compiler in your build pipelines.
25+
26+
- Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
27+
- Calling "helperMissing" and "blockHelperMissing" directly from a template (like in `{{blockHelperMissing}}` was
28+
never intended and was part of the exploits that have been revealed early in 2019
29+
(see https://github.com/wycats/handlebars.js/issues/1495). *It is also part of a new exploit that
30+
is not captured by the earlier fix.* In order to harden Handlebars against such exploits, calling thos helpers
31+
is now not possible anymore. *Overriding* those helpers is still possible.
32+
- If you really need this behavior, you can set the runtime option `allowCallsToHelperMissing` to `true` and the
33+
calls will again be possible
34+
35+
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
36+
37+
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
38+
39+
40+
41+
[Commits](https://github.com/wycats/handlebars.js/compare/v4.2.1...v4.3.0)
642

743
## v4.2.1 - September 20th, 2019
844
Bugfixes:

0 commit comments

Comments
 (0)