Releases · pugjs/pug

pug@3.0.4

Update pug-code-gen with the following fix: (#3438)

Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

Sanitise the pretty option (#3314)

If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

Variables starting with keywords cause the regex to "drift" on capture groups, causing errors (#3274)
Lexer plugins are not dropped inside tag interpolation (#3296)

You can use tag interpolation to embed tags in long strings, e.g.
```
p.
  This is a #[strong long] string of text.
```
Previously, lexer plugins would not work within the #[...] interpolation.
Handle escaped unsafe interpolation correctly (#3299)

If you want to put the literal text #{ in your html, it needs to be escaped to indicate that it should not be treated as interpolation. The same is true of !{ You can escape them by prefixing them with \, e.g.
```
p These are some \#{ weird \!{ symbols
```
Previously this would have incorrectly converted both escaped sequences to #{, resulting in the html:
```
<p>These are some #{ weird #{ symbols</p>
```
Now this correctly generates:
```
<p>These are some #{ weird !{ symbols</p>
```

Sanitise the pretty option (#3314)

If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.