Handlebars: Access has been denied to resolve the property “from” because it is not an “own property” of its parent

Question

I am using a Nodejs backend with server-side rendering using handlebars. After reading a doc array of objects from handlebars, which contains key \"content\" an

Answer 1

Starting from version 4.6.0 onward, Handlebars forbids accessing prototype properties and methods of the context object by default. This is related to a security issue described here: https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

Refer to https://github.com/wycats/handlebars.js/issues/1642

If you are certain that only developers have access to the templates, it's possible to allow prototype access by installing the following package:

npm i @handlebars/allow-prototype-access

If you are using express-handlebars you should proceed as:

const 
    express = require('express'),
    _handlebars = require('handlebars'),
    expressHandlebars = require('express-handlebars'),
    {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')

const app = express()

app.engine('handlebars', expressHandlebars({
    handlebars: allowInsecurePrototypeAccess(_handlebars)
}))
app.set('view engine', 'handlebars')