| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-05-02 | 2.9 kB | |
| v6.1.0 - security and bug-fix update source code.tar.gz | 2026-05-02 | 75.2 kB | |
| v6.1.0 - security and bug-fix update source code.zip | 2026-05-02 | 128.7 kB | |
| Totals: 3 Items | 206.8 kB | 0 | |
Changelog
All notable changes to this project will be documented in this file.
[6.1.0] - 2026-05-02
This release is primarily a security and bug-fix update. All users are encouraged to update.
Fixed
removetagsfilter: tag names containing regex metacharacters no longer panic the renderer.{% cycle %}tag: cycle index is now tracked per template execution instead of mutated on the parsed AST node. Concurrent renders of a cached template no longer race, and sequential renders no longer leak state from a previous execution.{% ifchanged %}tag:lastValues/lastContentare now tracked per template execution instead of mutated on the parsed AST node, fixing both a data race under concurrent renders and state leaking between sequential renders of a cached template.{% ifchanged %}tag: rendering an{% ifchanged %}block without an{% else %}branch no longer crashes with a nil-pointer dereference when the watched value is unchanged. Matches Django's behavior of producing no output.{% filter %}tag:BanFilteris now enforced inside{% filter %}blocks.
Changed
{% ssi %}plaintext mode now reads the included file through the configuredTemplateLoaderchain instead ofioutil.ReadFile, so non-filesystem loaders (FSLoader,HttpFilesystemLoader, custom) can serve SSI content.- Template error reporting (
RawLine) now reads source lines through the template's loader chain instead of opening files directly withos.Open. Error line extraction now works for anyTemplateLoader.
Removed
SandboxedFilesystemLoaderandNewSandboxedFilesystemLoaderhave been removed. They were marked WIP, never wired into any enforcement path, and behaved as a thin pass-through toLocalFilesystemLoader. Callers should useLocalFilesystemLoaderdirectly; sandboxing should be implemented via a customTemplateLoader.
Note: this is technically an API-breaking removal, but the type was unused WIP code that never provided sandboxing.
Documentation
- Clarified that pongo2 does not provide a true sandbox.
BanTagandBanFilteronly refuse to compile templates that reference banned names; they do not isolate Go execution, restrict filesystem access, or contain malicious templates. README,TemplateSetfield comment,DefaultLoadercomment, and parser error messages updated accordingly. - Added a Security section to the README documenting that template
loaders (
LocalFilesystemLoader,HttpFilesystemLoader,FSLoader) do not clamp paths to a base directory and that template filenames must be treated as trusted input.
Full Changelog: https://github.com/flosch/pongo2/compare/v6.0.0...v6.1.0