[tw5] Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Finally! Great way to easily debugging and playing with JavaScript external libraries in TW5, instead of wrapping them each time into plugin On Thursday, 29 January 2015 23:12:01 UTC+3, Tobias Beer wrote: > > While having no plans of using this (yet), > however, seeing how that cat is out of the box anyhow, > here's a single *script* macro to toggle
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Hi Jeremy, It's interesting that you choose to restrict javascript usage to make it more safe to share content. Thanks for the explanation. Best, Matt On Sunday, March 5, 2017 at 3:25:01 PM UTC-5, Jeremy Ruston wrote: > > Hi Matt > > Just to add to the answers from others, > > I'm also somewhat confused about why we have javascript macros then, and > what the difference is there. > > > The objective of TiddlyWiki’s security restrictions is to make it possible > to safely share content between users. That requires that JavaScript code > be clearly identified so that the recipient can decide whether to trust it > enough to execute it or not; if we allowed inline JavaScript within > fragments of wikitext then a recipient couldn’t know whether they could > safely render incoming wikitext. > > So, JavaScript macros are permitted because they are readily identified as > such, and can be blocked when required. > > The other factor in TiddlyWiki’s design that affects the use of third > party JavaScript libraries is that TiddlyWiki doesn’t support the > traditional web development paradigm of keeping state data in the DOM (this > is the paradigm popularised a decade ago by jQuery). Instead, TiddlyWiki > uses a virtual DOM and differential updates (this is the paradigm used by > recent frameworks like React). The net effect is that TiddlyWiki generally > doesn’t support just dropping in a
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Hi Matt Just to add to the answers from others, > I'm also somewhat confused about why we have javascript macros then, and what > the difference is there. The objective of TiddlyWiki’s security restrictions is to make it possible to safely share content between users. That requires that JavaScript code be clearly identified so that the recipient can decide whether to trust it enough to execute it or not; if we allowed inline JavaScript within fragments of wikitext then a recipient couldn’t know whether they could safely render incoming wikitext. So, JavaScript macros are permitted because they are readily identified as such, and can be blocked when required. The other factor in TiddlyWiki’s design that affects the use of third party JavaScript libraries is that TiddlyWiki doesn’t support the traditional web development paradigm of keeping state data in the DOM (this is the paradigm popularised a decade ago by jQuery). Instead, TiddlyWiki uses a virtual DOM and differential updates (this is the paradigm used by recent frameworks like React). The net effect is that TiddlyWiki generally doesn’t support just dropping in a
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Oh. nice solution. Will try this one too. Thanks! On Thursday, 29 January 2015 13:38:51 UTC-5, BJ wrote: you are looking for exports.htmlUnsafeElements = script.split(,); but I think it would be better to include a couple of macros to switch scripting on and off: create a tiddler (any name will do) and set the type to application/json add field module-type with value macro and insert in it (function(){ /*jslint node: true, browser: true */ /*global $tw: false */ use strict; /* Information about this macro */ exports.name = enablescript; exports.params = [ ]; /* Run the macro */ exports.run = function() { $tw.config.htmlUnsafeElements = ; return ; }; })(); then another tiddler with the type to application/json add field module-type with value macro (function(){ /*jslint node: true, browser: true */ /*global $tw: false */ /* Information about this macro returns value of key in a data json tiddler note that macros are not connected with the refresh mechanism -use with caution. */exports.name = disablescript; exports.params = [ ]; /* Run the macro */ exports.run = function() { $tw.config.htmlUnsafeElements = script.split(,); return ; } })(); then use in a tiddler like this enablescript script type=text/javascript alert(Hooray); /script disablescript script type=text/javascript alert(Hooray2); /script cheers BJ On Thursday, January 29, 2015 at 11:18:18 AM UTC-6, Jimmy Armand wrote: Sorry but I'm not sure to understand what you mean. Is it that there's a parameter named script that will help me do what I want? Because in the config.js, there's no script configuration to be found. On Wednesday, 28 January 2015 19:12:02 UTC-5, Tobias Beer wrote: It's not hard to find. If you search the source tree for script (including quotes) you'll see this in *config.js*... Thanks for the pointers. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Thanks Will try this today On Thursday, 29 January 2015 15:12:01 UTC-5, Tobias Beer wrote: While having no plans of using this (yet), however, seeing how that cat is out of the box anyhow, here's a single *script* macro to toggle script tags on and off, BJ style: http://fiddle.tiddlyspot.com Best wishes, Tobias. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
That would be great. Thanks On Wednesday, 28 January 2015 11:25:39 UTC-5, Jeremy Ruston wrote: TiddlyWiki is designed to block JavaScript in wiki text content to make sure that it is safe to share wiki text content. It's necessary so that we can explore multi-user server configurations and federation. If the act of viewing content authored by someone else causes executable JS code to run then it becomes possible for a malicious actor to, for example, craft a message that actually contains code to steal or delete your personal information. So, in TW5, there is a strict distinction between wiki text tiddlers (text/vnd.tiddlywiki) and JavaScript module tiddlers (type text/javascript, and with a module-type field). That allows us to filter content from other sources to ensure that we don't allow executable code. Obviously, these aren't concerns for many users who are working privately. We can serve their needs with a plugin that explicitly enables inline JavaScript, but it's not something that will ever be supported directly by the core. Best wishes Jeremy. On Wed, Jan 28, 2015 at 4:15 PM, Jimmy Armand jimmy@gmail.com javascript: wrote: Yeah but I think that this method is not really nice since I want to put the javascript in a tiddler (text/vnd.tiddlywiki) On Wednesday, 28 January 2015 06:44:47 UTC-5, Stephan Hradek wrote: Go to tiddlywiki.com Create a New Tiddler Paste this into the tiddler: script type=text/javascript alert(Hooray); /script Set the type to text/html Finish editing Hooray! -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com javascript:. To post to this group, send email to tiddl...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout. -- Jeremy Ruston mailto:jeremy...@gmail.com javascript: -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Sorry but I'm not sure to understand what you mean. Is it that there's a parameter named script that will help me do what I want? Because in the config.js, there's no script configuration to be found. On Wednesday, 28 January 2015 19:12:02 UTC-5, Tobias Beer wrote: It's not hard to find. If you search the source tree for script (including quotes) you'll see this in *config.js*... Thanks for the pointers. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
you are looking for exports.htmlUnsafeElements = script.split(,); but I think it would be better to include a couple of macros to switch scripting on and off: create a tiddler (any name will do) and set the type to application/json add field module-type with value macro and insert in it (function(){ /*jslint node: true, browser: true */ /*global $tw: false */ use strict; /* Information about this macro */ exports.name = enablescript; exports.params = [ ]; /* Run the macro */ exports.run = function() { $tw.config.htmlUnsafeElements = ; return ; }; })(); then another tiddler with the type to application/json add field module-type with value macro (function(){ /*jslint node: true, browser: true */ /*global $tw: false */ /* Information about this macro returns value of key in a data json tiddler note that macros are not connected with the refresh mechanism -use with caution. */ exports.name = disablescript; exports.params = [ ]; /* Run the macro */ exports.run = function() { $tw.config.htmlUnsafeElements = script.split(,); return ; } })(); then use in a tiddler like this enablescript script type=text/javascript alert(Hooray); /script disablescript script type=text/javascript alert(Hooray2); /script cheers BJ On Thursday, January 29, 2015 at 11:18:18 AM UTC-6, Jimmy Armand wrote: Sorry but I'm not sure to understand what you mean. Is it that there's a parameter named script that will help me do what I want? Because in the config.js, there's no script configuration to be found. On Wednesday, 28 January 2015 19:12:02 UTC-5, Tobias Beer wrote: It's not hard to find. If you search the source tree for script (including quotes) you'll see this in *config.js*... Thanks for the pointers. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Hi BJ, did you test this or is it a hypothetical? Best wishes, Tobias. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
While having no plans of using this (yet), however, seeing how that cat is out of the box anyhow, here's a single *script* macro to toggle script tags on and off, BJ style: http://fiddle.tiddlyspot.com Best wishes, Tobias. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Hi Tobi On Wed, Jan 28, 2015 at 2:00 AM, Tobias Beer beertob...@gmail.com wrote: I never actually looked at the core to find what disables script tags. I'd be curious to figure out how to enable them. Anyone wanting to mess with your data would do the same thing. I prefer to know myself how that's done. It's not hard to find. If you search the source tree for script (including quotes) you'll see this in config.js: exports.htmlUnsafeElements = script.split(,); Then search for htmlUnsafeElements to find where it is used in $:/core/modules/widgets/element.js: var tag = this.parseTreeNode.tag; if($tw.config.htmlUnsafeElements.indexOf(tag) !== -1) { tag = safe- + tag; } var domNode = this.document.createElementNS(this.namespace,tag); Note that script tags are allowed in text/html tiddlers because they are safely sandboxed in an iframe. Best wishes Jeremy. Best wishes, Tobias. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout. -- Jeremy Ruston mailto:jeremy.rus...@gmail.com -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Am Mittwoch, 28. Januar 2015 12:49:27 UTC+1 schrieb Jeremy Ruston: Note that script tags are allowed in text/html tiddlers because they are safely sandboxed in an iframe. I'm not sure, whether or not I understand sandboxed correctly. Please go to tiddlywiki.com Set a username Create a New Tiddler Paste this into the tiddler: script type=text/javascript alert(hooray!\n\n + Your username is ' + window.parent.$tw.wiki.getTiddlerText($:/status/UserName) + '\n\n + + And this wiki is called ' + window.parent.$tw.wiki.getTiddlerText($:/SiteTitle)+'); /script Set the type to text/html Finish editing Hooray! -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
Hi Stephan Good catch. It seems to depend on the browser: Firefox seems to allow the cross domain access, but Safari and Chrome do not allow it in my tests. I'll investigate whether adding the sandbox attribute improves things. Best wishes Jeremy. On Wed, Jan 28, 2015 at 1:32 PM, Stephan Hradek stephan.hra...@gmail.com wrote: Am Mittwoch, 28. Januar 2015 12:49:27 UTC+1 schrieb Jeremy Ruston: Note that script tags are allowed in text/html tiddlers because they are safely sandboxed in an iframe. I'm not sure, whether or not I understand sandboxed correctly. Please go to tiddlywiki.com Set a username Create a New Tiddler Paste this into the tiddler: script type=text/javascript alert(hooray!\n\n + Your username is ' + window.parent.$tw.wiki.getTiddlerText($:/status/UserName) + '\n\n + + And this wiki is called ' + window.parent.$tw.wiki.getTiddlerText($:/SiteTitle)+'); /script Set the type to text/html Finish editing Hooray! -- Jeremy Ruston mailto:jeremy.rus...@gmail.com -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
It's not hard to find. If you search the source tree for script (including quotes) you'll see this in *config.js*... Thanks for the pointers. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
TiddlyWiki is designed to block JavaScript in wiki text content to make sure that it is safe to share wiki text content. It's necessary so that we can explore multi-user server configurations and federation. If the act of viewing content authored by someone else causes executable JS code to run then it becomes possible for a malicious actor to, for example, craft a message that actually contains code to steal or delete your personal information. So, in TW5, there is a strict distinction between wiki text tiddlers (text/vnd.tiddlywiki) and JavaScript module tiddlers (type text/javascript, and with a module-type field). That allows us to filter content from other sources to ensure that we don't allow executable code. Obviously, these aren't concerns for many users who are working privately. We can serve their needs with a plugin that explicitly enables inline JavaScript, but it's not something that will ever be supported directly by the core. Best wishes Jeremy. On Wed, Jan 28, 2015 at 4:15 PM, Jimmy Armand jimmy.arma...@gmail.com wrote: Yeah but I think that this method is not really nice since I want to put the javascript in a tiddler (text/vnd.tiddlywiki) On Wednesday, 28 January 2015 06:44:47 UTC-5, Stephan Hradek wrote: Go to tiddlywiki.com Create a New Tiddler Paste this into the tiddler: script type=text/javascript alert(Hooray); /script Set the type to text/html Finish editing Hooray! -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout. -- Jeremy Ruston mailto:jeremy.rus...@gmail.com -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Simple Javascript insertion in tiddlers (text/vnd.tiddlywiki)
It make sens. Thanks! On Wednesday, 28 January 2015 11:25:39 UTC-5, Jeremy Ruston wrote: TiddlyWiki is designed to block JavaScript in wiki text content to make sure that it is safe to share wiki text content. It's necessary so that we can explore multi-user server configurations and federation. If the act of viewing content authored by someone else causes executable JS code to run then it becomes possible for a malicious actor to, for example, craft a message that actually contains code to steal or delete your personal information. So, in TW5, there is a strict distinction between wiki text tiddlers (text/vnd.tiddlywiki) and JavaScript module tiddlers (type text/javascript, and with a module-type field). That allows us to filter content from other sources to ensure that we don't allow executable code. Obviously, these aren't concerns for many users who are working privately. We can serve their needs with a plugin that explicitly enables inline JavaScript, but it's not something that will ever be supported directly by the core. Best wishes Jeremy. On Wed, Jan 28, 2015 at 4:15 PM, Jimmy Armand jimmy@gmail.com javascript: wrote: Yeah but I think that this method is not really nice since I want to put the javascript in a tiddler (text/vnd.tiddlywiki) On Wednesday, 28 January 2015 06:44:47 UTC-5, Stephan Hradek wrote: Go to tiddlywiki.com Create a New Tiddler Paste this into the tiddler: script type=text/javascript alert(Hooray); /script Set the type to text/html Finish editing Hooray! -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com javascript:. To post to this group, send email to tiddl...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout. -- Jeremy Ruston mailto:jeremy...@gmail.com javascript: -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.