Node JS, Express Handlebars Solution – Access has been denied to resolve the property
Recently I was working on a small exercise on Node JS and was using Handlebars for rendering list. But, I was getting error “Access has been denied to resolve the property “name” because it is not an “own property” of its parent.” while iterating through each loop and for displaying object properties.
I was using Express Handlebars version 5.1.0 and express 4.17. And it threw below error.
Handlebars: Access has been denied to resolve the property "name" because it is not an "own property" of its parent.
You can add a runtime option to disable the check or this warning:
See https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access for details
Handlebars: Access has been denied to resolve the property "email" because it is not an "own property" of its parent.
You can add a runtime option to disable the check or this warning:
Handlebars: Access has been denied to resolve the property "registerdate" because it is not an "own property" of its parent.
You can add a runtime option to disable the check or this warning:
See https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access for details
I had an object which I was returning from the MongoDB and then I was iterating through that list to display users.
Following code loops through list and display’s user details.
{{#each list}}
<tr>
<th scope="row">1</th>
<td>{{this.name}}</td>
<td>{{this.email}}</td>
<td>{{this.registerdate}}</td>
</tr>
{{/each}}
But while iterating, it was not showing anything and my table was blank. If I print “this”, then it was displaying all contents.
So I checked the link of the documentation, which was available along with error for more details.
There are multiple security issues with accessing prototype properties and methods of the context object by default.
As per documentation
From version 4.6.0 on, Handlebars forbids accessing prototype properties and methods of the context object by default. The reason are various security issues that arise from this possibility.
Previously my code was
app.engine(
"handlebars",
exphbs({
defaultLayout: "main",
})
);
app.set("view engine", "handlebars");
To fix this, we need to add couple of configuration options to runtimeOptions.
2 options are
- allowProtoPropertiesByDefault
- allowProtoMethodsByDefault
allowProtoPropertiesByDefault (since 4.7.0): a boolean (default: false) that defines whether non-method properties that are defined on the prototype of an object should be resolvable or not, by default.
allowProtoMethodsByDefault (since 4.7.0): a boolean (default: false) that defines whether methods that are define on the prototype of an object should be resolvable or not, by default.
After I add these two options, and set their values to true, my code started working.
app.engine(
"handlebars",
exphbs({
defaultLayout: "main",
runtimeOptions: {
allowProtoPropertiesByDefault: true,
allowProtoMethodsByDefault: true,
},
})
);
app.set("view engine", "handlebars");
Let me know if this solves your issue or you have any other way to fix this issue.
Very, very helpful! Thank you!
Thank you so much. It solves my problem.
thanks, solved my headache
Thank you so much!!!!
OMG thank you so much you are my life saver!!!
Thank you very much!
Thanks, solved my issue too but if this is considered insecure id really like to know the “proper” way of doing it.