Fix handlebars-lang#1748 where allowed prototype methods are not called

aalimovs · aalimovs · commit fe8709b1d476 · 2023-07-16T14:48:16.000+01:00
diff --git a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js
@@ -133,6 +133,9 @@ export function template(templateSpec, env) {
       }
 
       if (resultIsAllowed(result, container.protoAccessControl, propertyName)) {
+        if (typeof result === 'function') {
+          return parent[propertyName]();
+        }
         return result;
       }
       return undefined;
diff --git a/spec/security.js b/spec/security.js
@@ -285,6 +285,17 @@ describe('security issues', function () {
           })
           .toCompileTo('abc');
       });
+
+      it('should use a proto method to trim a string', function () {
+        expectTemplate('{{aString.trim}}')
+          .withInput({ aString: '  abc  ' })
+          .withRuntimeOptions({
+            allowedProtoMethods: {
+              trim: true,
+            },
+          })
+          .toCompileTo('abc');
+      });
     });
 
     describe('control access to prototype non-methods via "allowedProtoProperties" and "allowProtoPropertiesByDefault', function () {

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,9 @@ export function template(templateSpec, env) {`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`if (resultIsAllowed(result, container.protoAccessControl, propertyName)) {`
	`136`	`+ if (typeof result === 'function') {`
	`137`	`+ return parent[propertyName]();`
	`138`	`+ }`
`136`	`139`	`return result;`
`137`	`140`	`}`
`138`	`141`	`return undefined;`