Prevent command injection through _.template's variable option

Closes #5085.
2026-01-29 06:27:49 +00:00 · 2021-02-17 12:33:19 +01:00
parent ded9bc6658
commit 3469357cff
2 changed files with 28 additions and 1 deletions
--- a/test/test.js
+++ b/test/test.js
@@ -22296,6 +22296,14 @@
      }
    });

+    QUnit.test('should forbid code injection through the "variable" options', function(assert) {
+      assert.expect(1);
+
+      assert.raises(function () {
+        _.template('', { 'variable': '){console.log(process.env)}; with(obj' });
+      });
+    });
+
    QUnit.test('should support custom delimiters', function(assert) {
      assert.expect(2);