🐛 Bug: restrictLayoutsTo check fails when layout path is absolute

In express-hbs/lib/hbs.js, this logic currently fails for valid layout paths if the layout is passed as an absolute path:

if (this.restrictLayoutsTo) {
  if (!layoutFile.startsWith(this.restrictLayoutsTo)) {
    var err = new Error('Cannot read ' + layoutFile + ' it does not reside in ' + this.restrictLayoutsTo);
    return cb(err, null);
  }
}

This breaks themes when layouts are loaded by full path (e.g., /var/lib/ghost/content/themes/taste/default) even though they do reside under content/themes/taste.

✅ Proposed Fix

Use path.relative() to properly verify the layout's path is inside the allowed directory:

if (this.restrictLayoutsTo) {
  const path = require('path');
  const relativePath = path.relative(this.restrictLayoutsTo, layoutFile);

  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
    const err = new Error('Cannot read ' + layoutFile + ' it does not reside in ' + this.restrictLayoutsTo);
    return cb(err, null);
  }
}

This is safer and more reliable than startsWith().

📦 Affected Versions

This occurs when used with Ghost CMS >=5.x that uses express-hbs with absolute paths and restrictLayoutsTo set.

🙋‍♂️ Maintainer Notes

Happy to submit a PR referencing this issue.