运行时选项

¥Runtime options

函数 'Handlebars.compile' 和 'Handlebars.precompile' 创建一个函数。该函数可以调用为 template(context, options)，其中 context 是输入对象。

¥The function 'Handlebars.compile' and 'Handlebars.precompile' create a function. This function can be called as template(context, options) where context is the input object.

options 是一个可以具有以下任意属性的对象

¥options is an object that can have any of the following properties

• data 传入一个对象来定义自定义 @variable 私有变量。

  ¥data Pass in an object to define custom @variable private variables.

• helpers 除了全局定义的辅助程序之外，还可以传入自定义辅助程序。在模板执行期间，此对象中定义的值将替换全局对象中定义的任何值。

  ¥helpers Pass in to provide custom helpers in addition to the globally defined helpers.\ Values defined in this object will replace any values defined in the global object for the duration of the template execution.

• partials 除了全局定义的部分之外，传入还提供自定义部分。在模板执行期间，此对象中定义的值将替换全局对象中定义的任何值。

  ¥partials Pass in to provide custom partials in addition to the globally defined partials.\ Values defined in this object will replace any values defined in the global object for the duration of the template execution.

• allowCallsToHelperMissing（自 4.3.0 起，不安全）：如果设置为 true，则允许 {{helperMissing}} 和 {{blockHelperMissing}} 等调用。请注意，这允许模板作者在运行 Handlebars 的环境中制作用于远程执行代码的模板（参见 https://github.com/handlebars-lang/handlebars.js/issues/1558）

  ¥allowCallsToHelperMissing (since 4.3.0, insecure): If set to true, calls like {{helperMissing}} and {{blockHelperMissing}} will be allowed. Please note that this allows template authors to fabricate templates for Remote Code Execution on the environment running Handlebars (see https://github.com/handlebars-lang/handlebars.js/issues/1558)

控制原型访问的选项：

¥Options to control prototype access:

从 4.6.0 版本开始，Handlebars 默认禁止访问上下文对象的原型属性和方法。原因是这种可能性引起的各种安全问题。以下选项可用于控制此访问。

¥From version 4.6.0 on, Handlebars forbids accessing prototype properties and methods of the context object by default. The reason are various security issues that arise from this possibility. The following options can be used to control this access.

使用这些属性可能会打开安全漏洞。

允许原型属性可能允许模板作者在运行 Handlebars 的计算机上执行任意代码。即使有一些限制，攻击者也可能会伪造 Handlebars 模板来导致计算机崩溃。

¥Allowing prototype properties may allow template authors to execute arbitray code on you the machine where Handlebars is running. Even with some restrictions in place, an attacker may fabricate Handlebars templates that crash your machine.

详细信息可以在 npm-security Advisory 755 (opens new window)、1164 (opens new window)、1316 (opens new window)、1324 (opens new window) 和 1325 (opens new window) 以及 Mahmoud Gamal (opens new window) 的博客文章中找到。

¥Details can be found in the npm-security advisories 755 (opens new window), 1164 (opens new window), 1316 (opens new window), 1324 (opens new window) and 1325 (opens new window) and in the blog-article of Mahmoud Gamal (opens new window).

• allowProtoMethodsByDefault（自 4.7.0 起）：一个布尔值（默认值： false），定义默认情况下在对象原型上定义的方法是否应该可解析。

  ¥allowProtoMethodsByDefault (since 4.7.0): a boolean (default: false) that defines whether methods that are define on the prototype of an object should be resolvable or not, by default.

  禁止方法 constructor、__defineGetter__、__defineSetter__、__lookupGetter__ 和 __lookupSetter__，即使该选项设置为 true。仅当 allowedProtoMethods 中的相应键设置为 true 时才能访问它们。

  ¥The methods constructor, __defineGetter__, __defineSetter__, __lookupGetter__ and __lookupSetter__ are forbidden, even if this option is set to true. They can be accessed only if the corresponding key in allowedProtoMethods is set to true.

  将此选项设置为任何值都会在尝试并禁止原始方法访问时禁用 Handlebars 写入控制台的警告。

  ¥Setting this option to any value disables the warning that Handlebars writes to the console if a proto-method-access is attempted and forbidden.

• allowedProtoMethods（自 4.6.0 起）：如果属性名称是父对象的方法，则允许使用属性名称的字符串到布尔值映射。未定义的值恢复 allowProtoMethodsByDefault 中定义的值。

  ¥allowedProtoMethods (since 4.6.0): a string-to-boolean map of property-names that are allowed if they are methods of the parent object. Undefined values revert the the value defined in allowProtoMethodsByDefault.

• allowProtoPropertiesByDefault（自 4.7.0 起）：一个布尔值（默认值： false），定义默认情况下在对象原型上定义的非方法属性是否应该可解析。

  ¥allowProtoPropertiesByDefault (since 4.7.0): a boolean (default: false) that defines whether non-method properties that are defined on the prototype of an object should be resolvable or not, by default.

  即使此选项设置为 true，属性 __proto__ 也是被禁止的。只有将 allowedProtoProperties 中对应的键设置为 true 才能访问。

  ¥The property __proto__ is forbidden, even if this option is set to true. It can only be accessed if the corresponding key in allowedProtoProperties is set to true.

  将此选项设置为任何值都会在尝试并禁止原始属性访问时禁用 Handlebars 写入控制台的警告。

  ¥Setting this option to any value disables the warning that Handlebars writes to the console if a proto-property-access is attempted and forbidden.

• allowedProtoProperties（自 4.6.0 起）：属性名称的字符串到布尔值映射，如果它们是父对象的属性但不是方法，则允许使用它们。未定义的值恢复为 allowProtoPropertiesByDefault 中定义的值

  ¥allowedProtoProperties (since 4.6.0): a string-to-boolean map of property-names that are allowed if they are properties but not methods of the parent object. Undefined values revert to the value defined in allowProtoPropertiesByDefault

  const template = handlebars.compile("{{aString.trim}}");
  const result = template({ aString: "  abc  " });
  // result is empty, because trim is defined at String prototype
  

  const template = handlebars.compile("{{aString.trim}}");
  const result = template(
    { aString: "  abc  " },
    {
      allowedProtoMethods: {
        trim: true
      }
    }
  );
  // result = 'abc'
  

如果你无法传递运行时选项（例如 express-handlebars (opens new window)），你还可以使用包 @handlebars/allow-prototype-access (opens new window) 恢复到 4.5.3 行为。

¥You can also use the package @handlebars/allow-prototype-access (opens new window) revert to 4.5.3 behavior in cases where you cannot pass runtime-options, like in express-handlebars (opens new window).