fix: escape property names in compat mode (handlebars-lang#1736)

nknapp · bitwiseman · commit 3315df58a6f0 · 2021-05-18T14:52:33.000-07:00
diff --git a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js
@@ -28,7 +28,12 @@ JavaScriptCompiler.prototype = {
     }
   },
   depthedLookup: function(name) {
-    return [this.aliasable('this.lookup'), '(depths, "', name, '")'];
+    return [
+      this.aliasable('this.lookup'),
+      '(depths, ',
+      JSON.stringify(name),
+      ')'
+    ];
   },
 
   compilerInfo: function() {
diff --git a/package-lock.json b/package-lock.json
diff --git a/spec/security.js b/spec/security.js
@@ -103,4 +103,26 @@ describe('security issues', function() {
             shouldCompileTo('{{lookup this "__proto__"}}', {}, '');
         });
     });
+
+  describe('escapes template variables', function() {
+    it('in compat mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions({ compat: true })
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+
+    it('in default mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions()
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+    it('in default mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions({ strict: true })
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+  });
 });
