[Security] The included handlebars.js (v. 3.0.2) is affected by CVE-2019-19919

[ddalcino]

This gem includes an old version of handlebars (v 3.0.2), which includes a security bug fixed in v 4.3.0. I don't know if this gem is maintained anymore, but if it is I think it would be worthwhile to update handlebars to 4.3.0 or 3.0.8.

If this gem is not maintained anymore, maybe the README could warn users about this?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
GHSA-w457-6q6x-cgp9

[ddalcino]

Apparently, Handlebars 4.3.0 and 3.0.8 are also affected by related CVEs, including these:

• Prototype Pollution: GHSA-765h-qjxv-5f44
• Prototype Pollution: GHSA-f2jv-r9rf-7988
• Cross Site Scripting: GHSA-9prh-257w-9277

It appears that there's no safe way to update handlebars without jumping all the way to Handlebars 4.7.7. I was about to volunteer to file a PR that replaces Handlebars 3.0.2 with 3.0.8, but that's not going to work anyway. I'm not up to the task of making such a large upgrade; sorry.

Any thoughts, @Nerian?

[Nerian]

This repo just packages the original code into a gem for easy Rails usage. The original repo is at:
https://github.com/bootstrap-wysiwyg/bootstrap3-wysiwyg

Last update was on 2016 I am afraid.
These days I just summernote