Bug Fixes
-
Update pug-code-gen with the following fix: (#3438)
Validate
templateNameandglobalsare valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options
Unclaimed project
Are you a maintainer of pug? Claim this project to take control of your public changelog and roadmap.
Update pug-code-gen with the following fix: (#3438)
Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options
templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)Variables starting with keywords cause the regex to "drift" on capture groups, causing errors (#3274)
Lexer plugins are not dropped inside tag interpolation (#3296)
You can use tag interpolation to embed tags in long strings, e.g.
p.
This is a #[strong long] string of text.
Previously, lexer plugins would not work within the #[...] interpolation...
Sanitise the pretty option (#3314)
If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.
Sanitise the pretty option (#3314)
If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.
read plugins must now return Buffer if you want to support filters that use renderBuffer (#3213)
If you don't wish to support this advanced use case, you can continue returning string. If you did not provide a read plugin, you do not need to do anything.
The minify option on filters now requires you to install the relevant jstransformer (#3084)
C...
EachOf tokens (#3179)