Javascript execution from template #1267
Description
It is possible to execute Javascript from a template without registering any helper/partial/whatever or having any function in the context. I am not sure if you guys care about this, but it probably is not ideal in the event of a template injection. Anyway, it makes the logicless aspect less logicless.
Here is a sample that would execute whatever is in the initial string (eg: alert(1)) without anything extra registered:
{{#with 'alert(1)|'}}
{{#with (split '|' 1)}}
{{#> p constructor.constructor}}
{{> (apply 0 ../this)}}
{{/p}}
{{/with}}
{{/with}}
I'd venture and say that it could be fixed by making sure that only "own" properties of the helpers/etc dictionaries can be accessed instead of their prototypes' ones as well.