RCE possible in compat and strict mode

[nknapp]

Two security issues have arised and are fixed in the referencing commits:

1. Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode.

2. In "strict" mode, the exploits disclosed in the npm-security advisories 755,
   1164, 1316,
   1324 and 1325 and in the blog-article
   of Mahmoud Gamal possible, because the the method that was used in strict-mode had not called the safe-guard methods.

The issues have been disclosed a couple of weeks ago at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 and are fixed in version 4.7.7

[joshbressers]

This issue is getting flagged by security scanners (the commits have scary words in them it would seem). Can you clarify if these are indeed security fixes?

Thanks in advance

[nknapp]

Yes, these are indeed security fixes, although only relevant in "compat" and "strict" mode.
I'm not sure if they are already disclosed. My plan is to fill this issue with more details and links when they are.