Merge branch '4.x'

# Conflicts:
#	components/bower.json
#	components/handlebars.js.nuspec
#	components/package.json
#	integration-testing/multi-nodejs-test/test.sh
#	package-lock.json
#	package.json

Author: nknapp

Gruntfile.js

@@ -119,19 +119,19 @@ module.exports = function(grunt) {
           concurrency: 4,
           browsers: [
             { browserName: 'chrome' },
-            { browserName: 'firefox', platform: 'Linux' },
+            { browserName: 'firefox', platform: 'Linux' }
             // {browserName: 'safari', version: 9, platform: 'OS X 10.11'},
             // {browserName: 'safari', version: 8, platform: 'OS X 10.10'},
-            {
-              browserName: 'internet explorer',
-              version: 11,
-              platform: 'Windows 8.1'
-            },
-            {
-              browserName: 'internet explorer',
-              version: 10,
-              platform: 'Windows 8'
-            }
+            // {
+            //   browserName: 'internet explorer',
+            //   version: 11,
+            //   platform: 'Windows 8.1'
+            // },
+            // {
+            //   browserName: 'internet explorer',
+            //   version: 10,
+            //   platform: 'Windows 8'
+            // }
           ]
         }
       },

integration-testing/multi-nodejs-test/test.sh

@@ -12,18 +12,20 @@ cd "$( dirname "$( readlink -f "$0" )" )" || exit 1
 # However, the built distribution should work with older NodeJS versions as well.
 # This test is simple by design. It merely ensures, that calling Handlebars does not fail with old versions.
 # It does (almost) not test for correctness, because that is already done in the mocha-tests.
-# And it does not use any NodeJS based testing framwork to make this part independent of the Node version.
+# And it does not use any NodeJS based testing framework to make this part independent of the Node version.
 
 unset npm_config_prefix
 
 echo "Handlebars should be able to run in various versions of NodeJS"
-for i in  10 11 12 13 ; do
+for node_version_to_test in 10 11 12 13 14 15; do
+
     rm target node_modules package-lock.json -rf
     mkdir target
-    nvm install "$i"
-    nvm exec "$i" npm install
-    nvm exec "$i" npm run test
-    nvm exec "$i" npm run test-precompile
+
+    nvm install "$node_version_to_test"
+    nvm exec "$node_version_to_test" npm install
+    nvm exec "$node_version_to_test" npm run test
+    nvm exec "$node_version_to_test" npm run test-precompile
 
     echo Success
 done

lib/handlebars/base.js

@@ -5,7 +5,7 @@ import { registerDefaultDecorators } from './decorators';
 import logger from './logger';
 import { resetLoggedProperties } from './internal/proto-access';
 
-export const VERSION = '4.7.6';
+export const VERSION = '4.7.7';
 export const COMPILER_REVISION = 8;
 export const LAST_COMPATIBLE_COMPILER_REVISION = 7;
 

lib/handlebars/compiler/javascript-compiler.js

@@ -16,7 +16,12 @@ JavaScriptCompiler.prototype = {
     return this.internalNameLookup(parent, name);
   },
   depthedLookup: function(name) {
-    return [this.aliasable('container.lookup'), '(depths, "', name, '")'];
+    return [
+      this.aliasable('container.lookup'),
+      '(depths, ',
+      JSON.stringify(name),
+      ')'
+    ];
   },
 
   compilerInfo: function() {

lib/handlebars/runtime.js

@@ -121,7 +121,7 @@ export function template(templateSpec, env) {
           loc: loc
         });
       }
-      return obj[name];
+      return container.lookupProperty(obj, name);
     },
     lookupProperty: function(parent, propertyName) {
       let result = parent[propertyName];

release-notes.md

@@ -2,7 +2,26 @@
 
 ## Development
 
-[Commits](https://github.com/wycats/handlebars.js/compare/v4.7.6...master)
+[Commits](https://github.com/handlebars-lang/handlebars.js/compare/v4.7.7...master)
+
+## v4.7.7 - February 15th, 2021
+
+- fix weird error in integration tests - eb860c0
+- fix: check prototype property access in strict-mode (#1736) - b6d3de7
+- fix: escape property names in compat mode (#1736) - f058970
+- refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
+- chore: start testing on Node.js 12 and 13 - 3789a30
+
+(POSSIBLY) BREAKING CHANGES:
+
+- the changes from version [4.6.0](https://github.com/handlebars-lang/handlebars.js/blob/master/release-notes.md#v460---january-8th-2020) now also apply
+  in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
+  can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
+  from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.
+
+That is why we only bump the patch version despite mentioning breaking changes.
+
+[Commits](https://github.com/wycats/handlebars.js/compare/v4.7.6...v4.7.7)
 
 ## v4.7.6 - April 3rd, 2020
 

spec/security.js

@@ -298,6 +298,10 @@ describe('security issues', function() {
         checkProtoPropertyAccess({ compat: true });
       });
 
+      describe('in strict-mode', function() {
+        checkProtoPropertyAccess({ strict: true });
+      });
+
       function checkProtoPropertyAccess(compileOptions) {
         it('should be prohibited by default and log a warning', function() {
           var spy = sinon.spy(console, 'error');
@@ -396,6 +400,28 @@ describe('security issues', function() {
       });
     });
   });
+
+  describe('escapes template variables', function() {
+    it('in compat mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions({ compat: true })
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+
+    it('in default mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions()
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+    it('in default mode', function() {
+      expectTemplate("{{'a\\b'}}")
+        .withCompileOptions({ strict: true })
+        .withInput({ 'a\\b': 'c' })
+        .toCompileTo('c');
+    });
+  });
 });
 
 function wrapToAdjustContainer(precompiledTemplateFunction) {