From 59ab496fbfa12b69629f81a474b06f99a830917f Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 22 Jan 2019 10:18:44 -0800
Subject: [PATCH]  Only using known handlers with handlebars (#27061) (#27318)

---
 src/core_plugins/metrics/public/components/lib/replace_vars.js  | 2 +-
 .../metrics/public/components/lib/tick_formatter.js             | 2 +-
 utilities/visual_regression.js                                  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/core_plugins/metrics/public/components/lib/replace_vars.js b/src/core_plugins/metrics/public/components/lib/replace_vars.js
index 307059bcb95a..ec9e05ed0b26 100644
--- a/src/core_plugins/metrics/public/components/lib/replace_vars.js
+++ b/src/core_plugins/metrics/public/components/lib/replace_vars.js
@@ -2,7 +2,7 @@ import _ from 'lodash';
 import handlebars from 'handlebars/dist/handlebars';
 export default function replaceVars(str, args = {}, vars = {}) {
   try {
-    const template = handlebars.compile(str);
+    const template = handlebars.compile(str, { knownHelpersOnly: true });
     return template(_.assign({}, vars, { args }));
   } catch (e) {
     return str;
diff --git a/src/core_plugins/metrics/public/components/lib/tick_formatter.js b/src/core_plugins/metrics/public/components/lib/tick_formatter.js
index dff3a7b6b20f..53f2ccc6bae4 100644
--- a/src/core_plugins/metrics/public/components/lib/tick_formatter.js
+++ b/src/core_plugins/metrics/public/components/lib/tick_formatter.js
@@ -10,7 +10,7 @@ const formatLookup = {
 
 export default (format = '0,0.[00]', template) => {
   if (!template) template = '{{value}}';
-  const render = handlebars.compile(template);
+  const render = handlebars.compile(template, { knownHelpersOnly: true });
   return (val) => {
     const formatString = formatLookup[format] || format;
     let value;
diff --git a/utilities/visual_regression.js b/utilities/visual_regression.js
index 98d345c6f5e2..3c06bffabec3 100644
--- a/utilities/visual_regression.js
+++ b/utilities/visual_regression.js
@@ -37,7 +37,7 @@ async function buildGallery(comparisons) {
 
   const template = Handlebars.compile(await readFileAsync(
     path.resolve('./utilities/templates/visual_regression_gallery.handlebars')
-  , 'utf8'));
+    , 'utf8'), { knownHelpersOnly: true });
 
   const html = template({
     date: moment().format('MMMM Do YYYY, h:mm:ss a'),