feat: remove memoryLimit; add templateLimit, outputLengthLimit, maxDepth#937
Merged
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
Enforce v11 resource guards in render and tags, fix for offset/else behavior, and update tutorials for Tag-class registration. Co-authored-by: Cursor <cursoragent@cursor.com>
Coverage Report for CI Build 29350402930Warning No base build found for commit Coverage: 99.551%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsRequires a base build to compare against. How to fix this → Coverage Stats💛 - Coveralls |
Restore the two-example register-filters-tags structure (Value + Hash) and undo unrelated constructor/emitter doc edits not required for DoS limits. Co-authored-by: Cursor <cursoragent@cursor.com>
Remove diary-style engine comparisons from security-model.md. Update render-tag-content tutorial to Tag class examples with tpls class field. Co-authored-by: Cursor <cursoragent@cursor.com>
Explain why async render does not need maxDepth for stack protection based on generator/toPromise driving. Co-authored-by: Cursor <cursoragent@cursor.com>
Replace increaseDepth/decreaseDepth with a shared Limiter that supports paired use/release, matching templateLimit and outputLengthLimit patterns. Co-authored-by: Cursor <cursoragent@cursor.com>
Restore misc.ts from origin/next with LF line endings and re-apply only memoryLimit removal, avoiding CRLF and blank-line churn in the export block. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
docs: restructure security model with production guidance Co-authored-by: Cursor <cursoragent@cursor.com>
Drop try/finally around depthLimit in include, layout, and render; release at generator end. Consolidate production guidance in security-model.md. Fix padded-blocks lint in dos.spec.ts. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
memoryLimit(Deprecate memoryLimit in favor of a simple post check for output HTML #910); addtemplateLimit,outputLengthLimit, andmaxDepthfor DoS limits in render/emitters and include/render/layout tags.registerTagno longer accepts{ parse, render }object literals (since feat!: drop TagImplOptions in favor of Tag classes (#839) #927 /TagImplOptionsremoval); register a class extendingTaginstead.memoryLimit.for: evaluateelseafterlimit/offset; omit loop body when the iteration produces no output.memoryLimitUI.Test plan
npm run buildnpm test(dos.spec.ts,for.spec.ts)