diff options
| author | Yehuda Katz <wycats@gmail.com> | 2013-01-21 11:30:19 -0800 |
|---|---|---|
| committer | Yehuda Katz <wycats@gmail.com> | 2013-01-21 11:30:19 -0800 |
| commit | a68a5ad5bac069934d0e8293a064ee312b26f7e7 (patch) | |
| tree | eb4a421722094a3e9e2b42c2bc6e7158f1ceb10f | |
| parent | 69d46e008b454139a6fc6077d66541e7b67145f8 (diff) | |
| parent | 6ab92eee6d3fb4681a72682fadd114b788b2c5fc (diff) | |
| download | handlebars.js-a68a5ad5bac069934d0e8293a064ee312b26f7e7.zip handlebars.js-a68a5ad5bac069934d0e8293a064ee312b26f7e7.tar.gz handlebars.js-a68a5ad5bac069934d0e8293a064ee312b26f7e7.tar.bz2 | |
Merge pull request #414 from leshill/leading_context_only
Only allow `this` or `..` to lead a path
| -rw-r--r-- | dist/handlebars.js | 7 | ||||
| -rw-r--r-- | lib/handlebars/compiler/ast.js | 7 | ||||
| -rw-r--r-- | spec/qunit_spec.js | 22 |
3 files changed, 32 insertions, 4 deletions
diff --git a/dist/handlebars.js b/dist/handlebars.js index a3610df..630dfb2 100644 --- a/dist/handlebars.js +++ b/dist/handlebars.js @@ -726,8 +726,11 @@ Handlebars.print = function(ast) { for(var i=0,l=parts.length; i<l; i++) { var part = parts[i]; - if(part === "..") { depth++; } - else if(part === "." || part === "this") { this.isScoped = true; } + if (part === ".." || part === "." || part === "this") { + if (dig.length > 0) { throw new Handlebars.Exception("Invalid path: " + this.original); } + else if (part === "..") { depth++; } + else { this.isScoped = true; } + } else { dig.push(part); } } diff --git a/lib/handlebars/compiler/ast.js b/lib/handlebars/compiler/ast.js index fd6cdc5..f448523 100644 --- a/lib/handlebars/compiler/ast.js +++ b/lib/handlebars/compiler/ast.js @@ -76,8 +76,11 @@ var Handlebars = require('./base'); for(var i=0,l=parts.length; i<l; i++) { var part = parts[i]; - if(part === "..") { depth++; } - else if(part === "." || part === "this") { this.isScoped = true; } + if (part === ".." || part === "." || part === "this") { + if (dig.length > 0) { throw new Handlebars.Exception("Invalid path: " + this.original); } + else if (part === "..") { depth++; } + else { this.isScoped = true; } + } else { dig.push(part); } } diff --git a/spec/qunit_spec.js b/spec/qunit_spec.js index 62214ec..10b7424 100644 --- a/spec/qunit_spec.js +++ b/spec/qunit_spec.js @@ -207,6 +207,13 @@ test("this keyword in paths", function() { shouldCompileTo(string, hash, "helloHelloHELLO", "This keyword evaluates in more complex paths"); }); +test("this keyword nested inside path", function() { + var string = "{{#hellos}}{{text/this/foo}}{{/hellos}}"; + shouldThrow(function() { + CompilerContext.compile(string); + }, Error, "Should throw exception"); +}); + test("this keyword in helpers", function() { var helpers = {foo: function(value) { return 'bar ' + value; @@ -221,6 +228,13 @@ test("this keyword in helpers", function() { shouldCompileTo(string, [hash, helpers], "bar hellobar Hellobar HELLO", "This keyword evaluates in more complex paths"); }); +test("this keyword nested inside helpers param", function() { + var string = "{{#hellos}}{{foo text/this/foo}}{{/hellos}}"; + shouldThrow(function() { + CompilerContext.compile(string); + }, Error, "Should throw exception"); +}); + suite("inverted sections"); test("inverted sections with unset value", function() { @@ -286,6 +300,14 @@ test("block with complex lookup", function() { "Templates can access variables in contexts up the stack with relative path syntax"); }); +test("block with complex lookup using nested context", function() { + var string = "{{#goodbyes}}{{text}} cruel {{foo/../name}}! {{/goodbyes}}"; + + shouldThrow(function() { + CompilerContext.compile(string); + }, Error, "Should throw exception"); +}); + test("helper with complex lookup$", function() { var string = "{{#goodbyes}}{{{link ../prefix}}}{{/goodbyes}}"; var hash = {prefix: "/root", goodbyes: [{text: "Goodbye", url: "goodbye"}]}; |