Skip to content

Commit

Permalink
Un-document the fix for #2911 for the time being
Browse files Browse the repository at this point in the history
  • Loading branch information
jgonggrijp committed Mar 14, 2021
1 parent 4c73526 commit 7e89b79
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 29 deletions.
10 changes: 1 addition & 9 deletions modules/template.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,6 @@ function escapeChar(match) {
return '\\' + escapes[match];
}

// In order to prevent third-party code injection through
// `_.templateSettings.variable`, we test it against the following regular
// expression. It is intentionally a bit more liberal than just matching valid
// identifiers, but still prevents possible loopholes through defaults or
// destructuring assignment.
var bareIdentifier = /^\s*(\w|\$)+\s*$/;

// JavaScript micro-templating, similar to John Resig's implementation.
Expand Down Expand Up @@ -68,10 +63,7 @@ export default function template(text, settings, oldSettings) {

var argument = settings.variable;
if (argument) {
// Insure against third-party code injection.
if (!bareIdentifier.test(argument)) throw new Error(
'variable is not a bare identifier: ' + argument
);
if (!bareIdentifier.test(argument)) throw new Error(argument);
} else {
// If a variable is not specified, place data values in local scope.
source = 'with(obj||{}){\n' + source + '}\n';
Expand Down
10 changes: 1 addition & 9 deletions underscore-esm.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion underscore-esm.js.map

Large diffs are not rendered by default.

10 changes: 1 addition & 9 deletions underscore.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion underscore.js.map

Large diffs are not rendered by default.

0 comments on commit 7e89b79

Please sign in to comment.