subject:"\[tw5\] Re\: Just a goofy thought\: a way to get javascript into a Tiddler"

[tw5] Re: Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread TW Tones

Charlie,

Whatever you wish but I feel I needed to clarify the innerwiki plugin can 
run on single file wikis and generate new single file wiki, like in an 
iframe., from where you can save it as a new single file wiki, if you 
wanted. Perhaps a good place to test.

Its purpose was for documentation snapshots which requires node, other 
applications of it do not need node.

Regards
Tones


On Monday, 16 August 2021 at 23:18:55 UTC+10 cj.v...@gmail.com wrote:

> Well, I'm more assuming than presuming that it is secure.
>
> Yup, template in my quick follow-up after initial post looks much nicer.
>
> Nah, I have not played with the Innerwiki plugin.  I largely prefer 
> single-file TiddlyWiki's, and Innerwiki seems to be for TiddlyWiki on 
> nodejs.  I'll try it sometime for giggles, but my goal here is the ability 
> to quickly add simple javascript needs with simple copy/paste  and without 
> javascript macros.
>
> I'm loving the speculation.  
>
>- In particular:  TiddlyWiki as an editor for creating web pages 
>(HTML, CSS, javascript)
>
>
> Be aware that the TiddlyWiki cannot see what is in the iFrame, and the 
> iFrame cannot see what is in the TiddlyWiki.
>
> *However and hypothetically*: the HTML fed to the iFrame can be dynamic 
> (i.e. the HTML created by TiddlyWiki, thus allowing TiddlyWiki to include 
> TiddlyWiki info in the HTML.  Interesting possibilities ...
>
>
>
>
>
> On Monday, August 16, 2021 at 1:21:58 AM UTC-3 TW Tones wrote:
>
>> Charlie,
>>
>> Thanks for this. 
>>
>>- I presume it is secure because the iframe acts like a sandbox
>>- The result will be what is displayed because there is no permitted 
>>way to impact the wiki
>>
>> I wonder if 
>>
>>- A template can be used rather than the variable? yes the following 
>>worked
>>
>>- Use a TiddlyWiki template for the content of the iframe may need to 
>>wikify first.
>>
>> Have you played with the* innerwiki plugin* it's similar but different? 
>> It can pass a lot more data to the iframe (I think), in fact can build a 
>> whole wiki inside the iframe.
>>
>> Speculation;
>>
>>- Could this be used by students of javascript?
>>- what kind of Javascript code can be implemented this way?
>>- Could it access functions defined in the parent wiki eg raw tags?
>>   - I suppose it could if added to the template.
>>- Could we use iframes in which to publish complete html pages 
>>including javascript as a website development or learning tool.
>>
>> Regards
>> Tones
>>
>> On Monday, 16 August 2021 at 12:39:05 UTC+10 cj.v...@gmail.com wrote:
>>
>>> Better to keep the HTML readable, drag the attached json with two 
>>> tiddlers into some TiddlyWiki:
>>>
>>> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
>>>
 I don't know what made me think of this.

 In case this has not been brought up in a while (I doubt this is new to 
 seasoned folk) ...

 I was thinking: could I use an iFrame to include simple javascript in a 
 tiddler without getting into macros or plugins that enable javascript.

 And, if I could, then could I set things up so that the iFrame is 
 showing javascript dynamically created by the tiddler ?

 So here is a way to show a digital clock in TiddlyWiki, for 
 non-programmers who just want to copy and paste javascript code from the 
 web without figuring out how the javascript code works :

 Put this in a brand new tiddler:

 *<$vars* *vSrcDoc*={{{ [[  
   let clockEl = document.getElementById("clockDiv");function 
 getClockTime() {  let date = new Date();  let hr = 
 date.getHours();  let min = date.getMinutes();  let sec = 
 date.getSeconds();  hr = ("0" + hr).slice(-2);  min = ("0" + 
 min).slice(-2);  sec = ("0" + sec).slice(-2);  clockEl.innerHTML = 
 `${hr}:${min}:${sec}`;}setInterval(getClockTime, 1000);  
 ]] }}}*>*
 *>* style="border:none;width:100%;"
 *>*
 **

 Sneaky sneaky, has me wondering what kind of other fun things could be 
 done...

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/bb8a5d48-341e-4637-9ed4-10b49c71f146n%40googlegroups.com.

[tw5] Re: Just a goofy thought: a way to get javascript into a Tiddler

2021-08-16 Thread Charlie Veniot

Scratch that.

Seems like an easy TW security fix is in the works so that this stream of 
"potential goodies" on my mind will be sooner-than-later worry-free.

Woohoo!

After a few times of this happening (me finding something cool that 
software allows, which has security-minded folk having an "oh poop" 
moment.)  Hmm, maybe I should be thinking of a career as a white hat, kind 
of an Inspector Clouseau version ...





On Monday, August 16, 2021 at 12:51:35 PM UTC-3 Charlie Veniot wrote:

> It kind of sounds like the iFrame element should then be outright 
> eliminated from the web entirely.
>
> That might be problematic.
>
> Re security, couldn't any tiddler that is a javascript macro be altered 
> for nefarious purposes just as easily as injecting malicious javascript 
> into an iFrame?  
>
> On Monday, August 16, 2021 at 12:39:41 PM UTC-3 flanc...@gmail.com wrote:
>
>> This seems EXTREMELY INSECURE. What is to stop an attacker from injecting 
>> malicious JS into a tiddler, regardless of whether it is "sandboxed".
>> Paste this Proof-of-Concept into a blank tiddler. What it does it steals 
>> your GitHub PAT if you have it configured, and alerts it to you. While I 
>> have not done it here, I could easily make it both invisible and have it 
>> email me the PAT's it gathers.
>>
>> CODE:
>> <$vars vSrcDoc={{{ [[ > id="clockDiv">document.getElementById('clockDiv').innerHTML = 
>> ``; 
>> document.getElementById('xss').click();]] }}}>
>> > style="border:none;width:100%;">
>> 
>>
>> Long-story-short, an attacker can easily bypass any sanitation TW 
>> employs, and harvest credentials from various sites. It is my belief that 
>> this issue needs to be fixed immediately, and brought to the attention of 
>> Jeremy and other devs.
>>
>> I would be happy to help on the repair process. I have some experience 
>> with PenTesting and fixing XSS vulnerabilities (mainly in my own 
>> applications). I would recommend adding a listener to TW changes, and 
>> checking for an iframe code. If it does contain this, TW should add a 
>> sandbox constraint on it (
>> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
>> )
>>
>> On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote:
>>
>>> Updated one of the tiddlers in the JSON package.  New version attached.
>>>
>>> The addition highlighted below:
>>>
>>> 
>>>   
>>>   
>>> *document.oncontextmenu = function() { *
>>> *return false; *
>>> *};*
>>> let clockEl = document.getElementById("clockDiv");
>>> ...
>>>
>>> The reason for the added code:  block access to the back button in the 
>>> iFrame (by blocking access to the entire menu), which winds up performing 
>>> the back button operation on the entire browser page.
>>> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
>>>
 I don't know what made me think of this.

 In case this has not been brought up in a while (I doubt this is new to 
 seasoned folk) ...

 I was thinking: could I use an iFrame to include simple javascript in a 
 tiddler without getting into macros or plugins that enable javascript.

 And, if I could, then could I set things up so that the iFrame is 
 showing javascript dynamically created by the tiddler ?

 So here is a way to show a digital clock in TiddlyWiki, for 
 non-programmers who just want to copy and paste javascript code from the 
 web without figuring out how the javascript code works :

 Put this in a brand new tiddler:

 *<$vars* *vSrcDoc*={{{ [[