diff --git a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js index d129815c0..d9b88daff 100644 --- a/lib/handlebars/compiler/javascript-compiler.js +++ b/lib/handlebars/compiler/javascript-compiler.js @@ -28,7 +28,12 @@ JavaScriptCompiler.prototype = { } }, depthedLookup: function(name) { - return [this.aliasable('this.lookup'), '(depths, "', name, '")']; + return [ + this.aliasable('this.lookup'), + '(depths, ', + JSON.stringify(name), + ')' + ]; }, compilerInfo: function() { diff --git a/package-lock.json b/package-lock.json index 4d7fa42a2..fa2b94eea 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4367,9 +4367,9 @@ "dev": true }, "nan": { - "version": "2.14.0", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.14.0.tgz", - "integrity": "sha512-INOFj37C7k3AfaNTtX8RhsTw7qRy7eLET14cROi9+5HAVbbHuIWUHEauBv5qT4Av2tWasiTY1Jw6puUNqRJXQg==", + "version": "2.14.2", + "resolved": "https://registry.npmjs.org/nan/-/nan-2.14.2.tgz", + "integrity": "sha512-M2ufzIiINKCuDfBSAUr1vWQ+vuVcA9kqx8JJUsbQi6yf1uGRyb7HfpdfUr5qLXf3B/t8dPvcjhKMmlfnP47EzQ==", "dev": true, "optional": true }, diff --git a/spec/security.js b/spec/security.js index d9a7ca388..3f64f3c13 100644 --- a/spec/security.js +++ b/spec/security.js @@ -99,4 +99,26 @@ describe('security issues', function() { shouldCompileTo('{{lookup this "__proto__"}}', {}, ''); }); }); + + describe('escapes template variables', function() { + it('in compat mode', function() { + expectTemplate("{{'a\\b'}}") + .withCompileOptions({ compat: true }) + .withInput({ 'a\\b': 'c' }) + .toCompileTo('c'); + }); + + it('in default mode', function() { + expectTemplate("{{'a\\b'}}") + .withCompileOptions() + .withInput({ 'a\\b': 'c' }) + .toCompileTo('c'); + }); + it('in default mode', function() { + expectTemplate("{{'a\\b'}}") + .withCompileOptions({ strict: true }) + .withInput({ 'a\\b': 'c' }) + .toCompileTo('c'); + }); + }); });