TL;DR
This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.
With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().
Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.
Practical Implications
- Configuration must be passed to
renderFileexplicitly, rather than merged with thedataparameter - Using Express.js
app.set()to modifyviewsandcachewill no longer work - Eta no longer recognizes the legacy Express.js
settings["view options"]property
Example Code Changes
// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2
// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
eta.configure({ views: "./views", cache: true })
app.engine("eta", eta.renderFile)
app.set("view engine", "eta")