Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security review: builtin calls and prototype chain restrictions #1098

Merged
merged 1 commit into from
Dec 9, 2015

Conversation

dvoytenko
Copy link
Contributor

No description provided.

}
};
expect(mustache.render(
'{{#t}}{{x.pop}}X{{x.pop}}{{/t}}' +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you explain why it would mutate t instead of just popping from x (which is empty in this scenario)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just how mustache works. It passes the view object into the func.call(). In this case it's whatever is in {{#}}.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accessing nested attributes is a JS-specific extension to mustache. When you reference a nested function, it will be called with the current context as this, instead of the parent of the function.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's worth opening a ticket for mustache.js since this might be surprizing to most developers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@molnarg thanks, appreciate the explanation!

@erwinmombay
Copy link
Member

@dvoytenko LGTM

dvoytenko added a commit that referenced this pull request Dec 9, 2015
Security review: builtin calls and prototype chain restrictions
@dvoytenko dvoytenko merged commit f1f397c into ampproject:master Dec 9, 2015
@dvoytenko dvoytenko deleted the mustache-sec1 branch February 12, 2018 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants