Security fix for _.template variable parameter (CVE-2021-23358)

jashkenas / underscore

JavaScript's utility _ belt

https://underscorejs.org

MIT License

27.3k stars 5.53k forks source link

Security fix for _.template variable parameter (CVE-2021-23358) #2917

Closed jgonggrijp closed 3 years ago

jgonggrijp commented 3 years ago

This branch contains my test and fix for the security issue of #2915. The changes visible here were published to NPM as version 1.12.1. Also related to #2911.

coveralls commented 3 years ago

Coverage increased (+0.02%) to 95.217% when pulling 7e3d4042a0b9bb76e70da62204c283d1530f7a44 on jgonggrijp:template-variable-parameter into 798eafa190ebab8de53fcc559201e741c73ec54a on jashkenas:master.