Disallow access to prototype chain (CVE-2024-54152) when using compile with locals (two arguments in the called function) :
compile("__proto__")({}, {});=> This now returns undefined, previously it would give you the __proto__ instance which would allow Remote Code Execution.
Thanks to @JorianWoltjer who found the vulnerability and reported it.
Make handleThis the default if you use the Lexer and Parser directly, and you don't use .compile.
This is a way less common use case but it makes sense to have handleThis be the same default for both cases.
(This also makes the library behave in the same way between 1.3.0 and 1.4.1 when using Parser or Lexer). There was a backwards incompatible change brought by 1.4.0 for users of Parser.
Don't use this version, it is missing a commit for the 1.4.2 fix
Add support for handleThis: false to disable handling of this.
(By default handleThis is true).
This way, if you write : {this | filter}, the this will be used as a key
from the scope, eg scope["this"].
Add support for template literals.
It is now possible to write :
compile("`Hello ${user}`")({ user: "John" });
// Returns "Hello John"Bugfix compile(tag, { csp: true }) should now work correctly.
Add four options to the second arg of the compile method :
-
compile(tag, {filters: { upper: (input) => input.toUpperCase()}})which adds filters to a specific instance (those filters are not shared between instances). -
compile(tag, {cache: {}})to set a "non global" cache. -
compile(tag, { csp: true })to use the interpreter (avoid use of "new Function()" which is for example not allowed in Vercel). -
compile(tag, {literals: { true: true, false: false, null: null, undefined: undefined } })which allows to customize literals (such as null, true, false, undefined)
Update typescript typings for "Parser"
Update typescript typings (add .assign method)
Update typescript typings (add filters).
Add typescript typings (for compile, Parser and Lexer).
Published by mistake (same as 1.1.7), but without dependency changes
Add specific error when a filter is not defined.
Bugfix : When using an assignment expression, such as b = a, the value will always be set in the scope, not in the locals.
With this code :
const scope = { a: 10 };
const locals = { b: 5 };
compile("b=a")(scope, locals);The scope value will be { a: 10, b: 10 } after the evaluation.
In previous versions, the value would be assigned to the locals, meaning locals would be { b: 10 }
Bugfix : Make module ES5 compatible (to work in IE10 for example), by using var instead of const
- Disallow access to prototype chain (CVE-2021-21277)
Previous version was published with ES6 feature, now the published JS uses ES5 only
- Add support for special characters by using the following :
function validChars(ch) {
return (
(ch >= "a" && ch <= "z") ||
(ch >= "A" && ch <= "Z") ||
ch === "_" ||
ch === "$" ||
"ÀÈÌÒÙàèìòùÁÉÍÓÚáéíóúÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜŸäëïöüÿß".indexOf(ch) !== -1
);
}
evaluate = compile("être_embarassé", {
isIdentifierStart: validChars,
isIdentifierContinue: validChars,
});
evaluate({ être_embarassé: "Ping" });- Disallow access to prototype chain (CVE-2020-5219)
- Add support for
thiskeyword to write :
evaluate = compile("this + 2")(2); // which gives 4