Skip to content

Releases: pugjs/pug

[email protected]

24 May 17:35
32acfe8
Compare
Choose a tag to compare

Bug Fixes

  • Update pug-code-gen with the following fix: (#3438)

    Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

[email protected]

24 May 17:35
32acfe8
Compare
Choose a tag to compare

Refactors

  • Convert to TypeScript (#3355)

[email protected]

24 May 17:35
32acfe8
Compare
Choose a tag to compare

Bug Fixes

  • Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

[email protected]

28 Feb 19:32
d4b7f60
Compare
Choose a tag to compare

Bug Fixes

  • Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

[email protected]

28 Feb 18:23
991e78f
Compare
Choose a tag to compare

Bug Fixes

  • Sanitise the pretty option (#3314)

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

[email protected]

28 Feb 19:31
d4b7f60
Compare
Choose a tag to compare

Bug Fixes

  • Properly handle non-string values when rethrowing errors (#3269)

[email protected]

28 Feb 19:32
d4b7f60
Compare
Choose a tag to compare

Bug Fixes

  • Variables starting with keywords cause the regex to "drift" on capture groups, causing errors (#3274)

  • Lexer plugins are not dropped inside tag interpolation (#3296)

    You can use tag interpolation to embed tags in long strings, e.g.

    p.
      This is a #[strong long] string of text.

    Previously, lexer plugins would not work within the #[...] interpolation.

  • Handle escaped unsafe interpolation correctly (#3299)

    If you want to put the literal text #{ in your html, it needs to be escaped to indicate that it should not be treated as interpolation. The same is true of !{ You can escape them by prefixing them with \, e.g.

    p These are some \#{ weird \!{ symbols

    Previously this would have incorrectly converted both escaped sequences to #{, resulting in the html:

    <p>These are some #{ weird #{ symbols</p>

    Now this correctly generates:

    <p>These are some #{ weird !{ symbols</p>

[email protected]

28 Feb 18:23
991e78f
Compare
Choose a tag to compare

Bug Fixes

  • Sanitise the pretty option (#3314)

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

[email protected]

25 May 12:20
c077df4
Compare
Choose a tag to compare

Breaking Changes

  • read plugins must now return Buffer if you want to support filters that use renderBuffer (#3213)

    If you don't wish to support this advanced use case, you can continue returning string. If you did not provide a read plugin, you do not need to do anything.

  • The minify option on filters now requires you to install the relevant jstransformer (#3084)

    Currently we support:

    • jstransformer-uglify-js for JavaScript
    • jstransformer-clean-css for CSS
  • Drop support for node 6 and 8 (#3243)

New Features

  • Support filters that apply to Buffers (#3213)

    e.g.

    // options.js
    exports.filters = {
      png: {
        // instead of a function, specify an object with a "renderBuffer" property
        // whose value is a function that takes a Buffer instead of a string
        renderBuffer: function(buffer, options) {
          var data = Buffer.from(buffer).toString('base64');
          return '<img src="data:image/png;base64, ' + data + '"/>';
        }
      }
    };

    You can then use the filter like:

    // foo.pug
    include:png my-small-image.png
  • Add support for replacing code gen via a plugin with generateCode (#3230)

  • Support each ... of ... loops (#3179)

    each value of iterable
      li= value

    This requires an environment that supports the for (const val of iterable) syntax in JS. You can iterate over Maps, Sets etc. as well as arrays. There is also some destructuring of map keys:

    - const map = new Map([['a', 'x'], ['b', 'y']]);
    each [key, value] of map
      li
        strong= key
        = value

[email protected]

25 May 12:19
c077df4
Compare
Choose a tag to compare

Breaking Changes

  • Drop support for node 6 and 8 (#3243)

New Features

  • Support EachOf tokens (#3179)