search

wecodemore / grunt-githooks

A Grunt plugin to help bind Grunt tasks to Git hooks
https://npmjs.org/package/grunt-githooks
MIT License
317 stars 24 forks source link

Update Handlebars #64

Closed jshemas closed 6 years ago

jshemas commented 8 years ago

Its looks like this project is using a very old version of Handlebars, would it be possible to update this?

franz-josef-kaiser commented 8 years ago

Hi @jshemas – I have edited both the title as well as the content (not that it would not be visible anymore). Could you please for future issues like this one, start by contacting us via email and give us time to fix things before you go public with this? This is the default behavior when you find such an issue. Thanks.

This may lead to a Cross-Site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the handlebars template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.

This task is a build time task. It's not handling any user input. The only thing it does is that it builds git hooks from a template. So this issue actually is invalid.

Anyway, leaving it open as I agree that the only real dependency here should be updated. Handlebars has made some serious progress.

jshemas commented 8 years ago

Hey there,

Yeah, this isn't really a threat I would be worried about. But it would be awesome if you updated regardless.

Thanks!

franz-josef-kaiser commented 8 years ago

Sure. I already assigned a milestone.