AtHeartEngineer/ejs
1
0
Fork 0
mirror of https://github.com/CryptKeeperZK/ejs.git synced 2026-01-07 22:53:52 -05:00
Code Issues Packages Projects Releases Wiki Activity
3,201 Commits 1 Branch 0 Tags
main
Commit Graph

3201 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
isk
01a91d7409 fix: ejs evalerror with browser extension 2023-08-18 12:52:20 +02:00
mde
29b076cdbb Added header 2023-05-27 09:54:19 -07:00
mde
11503c79af Merge branch 'main' of github.com:mde/ejs into main 2023-05-27 09:53:37 -07:00
mde
7690404e2f Added security banner to README 2023-05-27 09:53:12 -07:00
Matthew Eernisse
f47d7aedd5 Update SECURITY.md 2023-03-27 11:04:48 -07:00
Matthew Eernisse
828cea1687 Update SECURITY.md 2023-03-27 11:04:07 -07:00
Matthew Eernisse
689ca02f02 Update SECURITY.md 2023-03-27 10:36:20 -07:00
mde
aed012481d Version 3.1.9 2023-03-12 12:29:51 -07:00
mde
7083793437 Updated dev deps 2023-03-12 12:29:21 -07:00
Matthew Eernisse
87f1da6d2e Merge pull request #707 from mde/dependabot/npm_and_yarn/minimatch-3.1.2 
Bump minimatch from 3.0.4 to 3.1.2
 2023-03-12 12:26:10 -07:00
mde
e41a914249 Removed old changelog, please rely on git log 2023-03-12 12:24:44 -07:00
Matthew Eernisse
9ea36ba2f3 Merge pull request #719 from jportner/frozen-prototype-fix 
Make escapeXML work when the Function prototype is frozen
 2023-03-12 12:06:25 -07:00
Joe Portner
181a537556 Fall back to assignment, update test 2023-03-12 12:10:19 -04:00
Joe Portner
58bc2eb556 Change approach to shadowing "toString" property for escapeXML 2023-03-10 00:03:22 -05:00
dependabot[bot]
76c9c612f4 Bump minimatch from 3.0.4 to 3.1.2 
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.2.
- [Release notes](https://github.com/isaacs/minimatch/releases)
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.1.2)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-31 20:05:52 +00:00
Matthew Eernisse
f818bce2a5 Merge pull request #706 from mde/dependabot/npm_and_yarn/flat-and-mocha-5.0.2 
Bump flat and mocha
 2022-12-31 12:05:16 -08:00
dependabot[bot]
0fca86359d Bump flat and mocha 
Bumps [flat](https://github.com/hughsk/flat) to 5.0.2 and updates ancestor dependency [mocha](https://github.com/mochajs/mocha). These dependencies need to be updated together.


Updates `flat` from 4.1.0 to 5.0.2
- [Release notes](https://github.com/hughsk/flat/releases)
- [Commits](https://github.com/hughsk/flat/compare/4.1.0...5.0.2)

Updates `mocha` from 7.1.1 to 10.2.0
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mochajs/mocha/compare/v7.1.1...v10.2.0)

---
updated-dependencies:
- dependency-name: flat
  dependency-type: indirect
- dependency-name: mocha
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-30 20:15:48 +00:00
Matthew Eernisse
e92b960ab9 Merge pull request #704 from mshima/patch-1 
root can be arrays.
 2022-11-19 10:26:19 -08:00
Marcelo Shima
9cc37d7c35 Update README.md 2022-11-18 10:35:30 -03:00
Marcelo Shima
f1d6c51a6c root can be arrays. 2022-11-18 10:34:54 -03:00
Matthew Eernisse
5919964ec3 Merge pull request #685 from mde/dependabot/npm_and_yarn/shell-quote-1.7.3 
Bump shell-quote from 1.7.2 to 1.7.3
 2022-08-16 09:40:28 -07:00
Matthew Eernisse
fc78c01f22 Merge pull request #687 from i8-pi/cli-relative-path 
Make relative paths in include work for cli
 2022-07-23 12:10:13 -07:00
Thomas Chung
2e9e3cd4ba Make relative paths in include work for cli 2022-07-13 01:42:35 +10:00
dependabot[bot]
d263c9fbe3 Bump shell-quote from 1.7.2 to 1.7.3 
Bumps [shell-quote](https://github.com/substack/node-shell-quote) from 1.7.2 to 1.7.3.
- [Release notes](https://github.com/substack/node-shell-quote/releases)
- [Changelog](https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md)
- [Commits](https://github.com/substack/node-shell-quote/compare/v1.7.2...1.7.3)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-06-23 02:48:47 +00:00
mde
f6ba7f3a60 Version bump in Express example 2022-05-11 12:21:18 -07:00
mde
5126ff57aa Version 3.1.8 2022-05-11 11:55:13 -07:00
mde
7d5a1c6a21 Merge branch 'main' of github.com:mde/ejs into main 2022-05-11 11:54:35 -07:00
mde
551949d861 Minor mitigation 2022-05-11 11:54:01 -07:00
Matthew Eernisse
66f7471d82 Merge pull request #664 from netcode/patch-1 
Create SECURITY.md
 2022-04-23 10:21:07 -07:00
mde
820855ad75 Version 3.1.7 2022-04-20 09:41:15 -07:00
mde
076dcb643c Don't use template literal 2022-04-20 09:36:05 -07:00
mde
faf8b849a4 Skip test -- error message vary depending on JS runtime 2022-04-20 09:17:12 -07:00
mde
c028c343c1 Update packages 2022-04-20 09:16:40 -07:00
Eslam Salem
839ad20fd2 Update SECURITY.md 2022-04-13 04:48:04 +02:00
Eslam Salem
c040180203 Update README.md 
Update the readme to add the security note
 2022-04-13 04:46:40 +02:00
Eslam Salem
59db52035a Create SECURITY.md 
Highly inspired by ExpressJS security policy.
 2022-04-10 23:55:44 +02:00
Matthew Eernisse
e4180b4fa2 Merge pull request #629 from markbrouwer96/main 
Updated jsdoc to 3.6.7
 2021-09-25 09:12:12 -07:00
markbrouwer96
d5404d6e68 Updated jsdoc to 3.6.7 2021-09-23 13:11:18 +02:00
Matthew Eernisse
7b0845d6aa Merge pull request #609 from mde/dependabot/npm_and_yarn/glob-parent-5.1.2 
Bump glob-parent from 5.1.1 to 5.1.2
 2021-06-11 08:43:59 -07:00
dependabot[bot]
32fb8ee387 Bump glob-parent from 5.1.1 to 5.1.2 
Bumps [glob-parent](https://github.com/gulpjs/glob-parent) from 5.1.1 to 5.1.2.
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gulpjs/glob-parent/compare/v5.1.1...v5.1.2)

---
updated-dependencies:
- dependency-name: glob-parent
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-11 11:53:46 +00:00
Matthew Eernisse
f21a9e4643 Merge pull request #603 from mde/mde-null-proto-where-possible 
Move to utils, handle older runtimes, fix tests
 2021-06-06 09:19:57 -07:00
Matthew Eernisse
a50e46f002 Merge pull request #606 from akash-55/main 
Update syntax.md
 2021-06-04 19:28:21 -07:00
akash-55
99b2d8e551 Update syntax.md 2021-06-05 07:03:19 +05:30
mde
576283bb5d Move to utils, handle older runtimes, fix tests 2021-05-31 13:29:51 -07:00
Matthew Eernisse
61b6616fd3 Merge pull request #601 from nicdumz/main 
Mitigate prototype pollution effects
 2021-05-31 12:40:23 -07:00
Nicolas Dumazet
be9a9bb397 Create Objects without prototypes. 
This generally helps mitigate prototype pollution: even if another
library allows prototype pollution, ejs will not allow escalating this
into Remote Code Execution.
 2021-05-31 21:37:02 +02:00
Nicolas Dumazet
15ee698583 Sanitize option names. 
This prevents injection of arbitrary code if the server is already
vulnerable to prototype poisoning. This resolves #451.

I deliberately opted to not support complex Unicode identifiers even
though they're valid JS identifiers. They're complex to validate and
users probably shouldn't even try to be that creative.
 2021-05-30 07:00:58 +02:00
Matthew Eernisse
c120527315 Merge pull request #598 from mde/dependabot/npm_and_yarn/lodash-4.17.21 
Bump lodash from 4.17.20 to 4.17.21
 2021-05-11 08:42:20 -07:00
dependabot[bot]
cfa273264b Bump lodash from 4.17.20 to 4.17.21 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.20 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.20...4.17.21)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-05-11 11:10:00 +00:00
Matthew Eernisse
c594d0e099 Merge pull request #585 from db-developer/main 
fixed some situations...
 2021-03-01 11:16:05 -08:00