Re: [tw5] Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread Jeremy Ruston 
Hi Finn

> On 16 Aug 2021, at 17:22, Finn Lancaster  wrote:
> 
> I don't have much experience with JS macros in TW, but I can imagine it would 
> be the same, especially if there is no sanitisation whatsoever. As to 
> eliminating iframes, normally there is no way to break-out of it. However, in 
> the case of my Proof-of-Concept with TW, the localStorage is global, and can 
> be accessed by ANY SITE. This is just one more reason I believe TW should use 
> browser cookies: they are not accessible from inside iframe, and have more 
> options for security and access.

A big part of the problem is that browsers treat all file:// URIs as a single 
origin, and don’t apply the usual same origin checks. That means that it is 
pretty much impossible to securely use local storage from a file:// URI.  For 
the same reason, browser cookies are no better than local storage.

Best wishes

Jeremy.

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/BB56CA48-E0B5-4499-AF5B-7C357788DB01%40gmail.com.

Re: [tw5] Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread strikke...@gmail.com 
I am not so sure about the security running javascript in iframes. 
Everywhere we are told, that we should sandbox the iframe for that reason. 
I am not the one to know anything about it - I am just worried.

It is all about knowing what we are doing - and I am not in the know.

Birthe

On Monday, August 16, 2021 at 3:21:31 PM UTC+2 cj.v...@gmail.com wrote:

> Yeah, for sure a backdoor way to get javascript into TW, I'm assuming safe 
> (i.e. TiddlyWiki knows nothing about the javascript in the iFrame, and the 
> javascript in the iFrame knows nothing about the javascript.
>
> So should be a nice little sandbox.
>
> On Monday, August 16, 2021 at 6:54:15 AM UTC-3 Mohammad wrote:
>
>> Charlie
>>
>> I assume this is a very clever solution!
>> Can we say this is a  backdoor to inject JS into TW.
>> Of course I am not familiar with iframe features in TW!
>>
>>
>> Best wishes
>> Mohammad
>>
>>
>> On Mon, Aug 16, 2021 at 6:57 AM Charlie Veniot  wrote:
>>
>>> I don't know what made me think of this.
>>>
>>> In case this has not been brought up in a while (I doubt this is new to 
>>> seasoned folk) ...
>>>
>>> I was thinking: could I use an iFrame to include simple javascript in a 
>>> tiddler without getting into macros or plugins that enable javascript.
>>>
>>> And, if I could, then could I set things up so that the iFrame is 
>>> showing javascript dynamically created by the tiddler ?
>>>
>>> So here is a way to show a digital clock in TiddlyWiki, for 
>>> non-programmers who just want to copy and paste javascript code from the 
>>> web without figuring out how the javascript code works :
>>>
>>> Put this in a brand new tiddler:
>>>
>>> *<$vars* *vSrcDoc*={{{ [[
>>> let clockEl = document.getElementById("clockDiv");function 
>>> getClockTime() {  let date = new Date();  let hr = 
>>> date.getHours();  let min = date.getMinutes();  let sec = 
>>> date.getSeconds();  hr = ("0" + hr).slice(-2);  min = ("0" + 
>>> min).slice(-2);  sec = ("0" + sec).slice(-2);  clockEl.innerHTML = 
>>> `${hr}:${min}:${sec}`;}setInterval(getClockTime, 1000);  
>>> ]] }}}*>*
>>> *>* style="border:none;width:100%;"
>>> *>*
>>> **
>>>
>>> Sneaky sneaky, has me wondering what kind of other fun things could be 
>>> done...
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "TiddlyWiki" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to tiddlywiki+...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/tiddlywiki/cb08b664-8cc9-4531-bd25-783463ebbef4n%40googlegroups.com
>>>  
>>> 
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/d3de9dc4-724b-4bbd-9996-def1466ef046n%40googlegroups.com.

Re: [tw5] Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread Charlie Veniot 
Yeah, for sure a backdoor way to get javascript into TW, I'm assuming safe 
(i.e. TiddlyWiki knows nothing about the javascript in the iFrame, and the 
javascript in the iFrame knows nothing about the javascript.

So should be a nice little sandbox.

On Monday, August 16, 2021 at 6:54:15 AM UTC-3 Mohammad wrote:

> Charlie
>
> I assume this is a very clever solution!
> Can we say this is a  backdoor to inject JS into TW.
> Of course I am not familiar with iframe features in TW!
>
>
> Best wishes
> Mohammad
>
>
> On Mon, Aug 16, 2021 at 6:57 AM Charlie Veniot  wrote:
>
>> I don't know what made me think of this.
>>
>> In case this has not been brought up in a while (I doubt this is new to 
>> seasoned folk) ...
>>
>> I was thinking: could I use an iFrame to include simple javascript in a 
>> tiddler without getting into macros or plugins that enable javascript.
>>
>> And, if I could, then could I set things up so that the iFrame is showing 
>> javascript dynamically created by the tiddler ?
>>
>> So here is a way to show a digital clock in TiddlyWiki, for 
>> non-programmers who just want to copy and paste javascript code from the 
>> web without figuring out how the javascript code works :
>>
>> Put this in a brand new tiddler:
>>
>> *<$vars* *vSrcDoc*={{{ [[
>> let clockEl = document.getElementById("clockDiv");function 
>> getClockTime() {  let date = new Date();  let hr = 
>> date.getHours();  let min = date.getMinutes();  let sec = 
>> date.getSeconds();  hr = ("0" + hr).slice(-2);  min = ("0" + 
>> min).slice(-2);  sec = ("0" + sec).slice(-2);  clockEl.innerHTML = 
>> `${hr}:${min}:${sec}`;}setInterval(getClockTime, 1000);  
>> ]] }}}*>*
>> *>* style="border:none;width:100%;"
>> *>*
>> **
>>
>> Sneaky sneaky, has me wondering what kind of other fun things could be 
>> done...
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "TiddlyWiki" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to tiddlywiki+...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/tiddlywiki/cb08b664-8cc9-4531-bd25-783463ebbef4n%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/2fcf1453-a727-4c17-ad5b-c91ed7970bc5n%40googlegroups.com.

Re: [tw5] Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread Mohammad Rahmani 
Charlie

I assume this is a very clever solution!
Can we say this is a  backdoor to inject JS into TW.
Of course I am not familiar with iframe features in TW!


Best wishes
Mohammad


On Mon, Aug 16, 2021 at 6:57 AM Charlie Veniot  wrote:

> I don't know what made me think of this.
>
> In case this has not been brought up in a while (I doubt this is new to
> seasoned folk) ...
>
> I was thinking: could I use an iFrame to include simple javascript in a
> tiddler without getting into macros or plugins that enable javascript.
>
> And, if I could, then could I set things up so that the iFrame is showing
> javascript dynamically created by the tiddler ?
>
> So here is a way to show a digital clock in TiddlyWiki, for
> non-programmers who just want to copy and paste javascript code from the
> web without figuring out how the javascript code works :
>
> Put this in a brand new tiddler:
>
> *<$vars* *vSrcDoc*={{{ [[
> let clockEl = document.getElementById("clockDiv");function
> getClockTime() {  let date = new Date();  let hr =
> date.getHours();  let min = date.getMinutes();  let sec =
> date.getSeconds();  hr = ("0" + hr).slice(-2);  min = ("0" +
> min).slice(-2);  sec = ("0" + sec).slice(-2);  clockEl.innerHTML =
> `${hr}:${min}:${sec}`;}setInterval(getClockTime, 1000);
> ]] }}}*>*
> *>* style="border:none;width:100%;"*>*
> **
>
> Sneaky sneaky, has me wondering what kind of other fun things could be
> done...
>
> --
> You received this message because you are subscribed to the Google Groups
> "TiddlyWiki" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to tiddlywiki+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/tiddlywiki/cb08b664-8cc9-4531-bd25-783463ebbef4n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/CAAV1gMB68%2Bj7dYmotSMzOXmvmDyRzP3t6ar%3DcvhqsR8ObF8iMA%40mail.gmail.com.

[tw5] Just a goofy thought: a way to get javascript into a Tiddler

2021-08-15 Thread Charlie Veniot 
I don't know what made me think of this.

In case this has not been brought up in a while (I doubt this is new to 
seasoned folk) ...

I was thinking: could I use an iFrame to include simple javascript in a 
tiddler without getting into macros or plugins that enable javascript.

And, if I could, then could I set things up so that the iFrame is showing 
javascript dynamically created by the tiddler ?

So here is a way to show a digital clock in TiddlyWiki, for non-programmers 
who just want to copy and paste javascript code from the web without 
figuring out how the javascript code works :

Put this in a brand new tiddler:

*<$vars* *vSrcDoc*={{{ [[let 
clockEl = document.getElementById("clockDiv");function getClockTime() 
{  let date = new Date();  let hr = date.getHours();  let min = 
date.getMinutes();  let sec = date.getSeconds();  hr = ("0" + 
hr).slice(-2);  min = ("0" + min).slice(-2);  sec = ("0" + 
sec).slice(-2);  clockEl.innerHTML = `${hr}:${min}:${sec}`;}
setInterval(getClockTime, 1000);  ]] }}}*>*
*>* style="border:none;width:100%;"*>*
**

Sneaky sneaky, has me wondering what kind of other fun things could be 
done...

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/cb08b664-8cc9-4531-bd25-783463ebbef4n%40googlegroups.com.