Charlie,
Whatever you wish but I feel I needed to clarify the innerwiki plugin can
run on single file wikis and generate new single file wiki, like in an
iframe., from where you can save it as a new single file wiki, if you
wanted. Perhaps a good place to test.
Its purpose was for
Scratch that.
Seems like an easy TW security fix is in the works so that this stream of
"potential goodies" on my mind will be sooner-than-later worry-free.
Woohoo!
After a few times of this happening (me finding something cool that
software allows, which has security-minded folk having an
cj.v..,
I don't have much experience with JS macros in TW, but I can imagine it
would be the same, especially if there is no sanitisation whatsoever. As to
eliminating iframes, normally there is no way to break-out of it. However,
in the case of my Proof-of-Concept with TW, the localStorage
It kind of sounds like the iFrame element should then be outright
eliminated from the web entirely.
That might be problematic.
Re security, couldn't any tiddler that is a javascript macro be altered for
nefarious purposes just as easily as injecting malicious javascript into an
iFrame?
On
Alerted Dev Group of potential
vulnerability: https://github.com/Jermolene/TiddlyWiki5/issues/5958.
Hopefully they re-imagine the TW Github saving mechanism, as I proposed, to
something beyond the scope of what the iframe can access (such as browser
Cookie)
On Monday, August 16, 2021 at
This seems EXTREMELY INSECURE. What is to stop an attacker from injecting
malicious JS into a tiddler, regardless of whether it is "sandboxed".
Paste this Proof-of-Concept into a blank tiddler. What it does it steals
your GitHub PAT if you have it configured, and alerts it to you. While I
have
Another code sample. Drag the attached to TiddlyWiki.com .
The "Random HTML" tiddler is a patchwork of code bits I scammed from the
web. This Tiddler has the javascript needed to get a random value from a
comma-separated-value list and present that value.
The "Getting Random Values" tiddler
Updated one of the tiddlers in the JSON package. New version attached.
The addition highlighted below:
*document.oncontextmenu = function() { *
*return false; *
*};*
let clockEl = document.getElementById("clockDiv");
...
The reason for the added code: block access to the back
Well, I'm more assuming than presuming that it is secure.
Yup, template in my quick follow-up after initial post looks much nicer.
Nah, I have not played with the Innerwiki plugin. I largely prefer
single-file TiddlyWiki's, and Innerwiki seems to be for TiddlyWiki on
nodejs. I'll try it
Charlie,
Thanks for this.
- I presume it is secure because the iframe acts like a sandbox
- The result will be what is displayed because there is no permitted way
to impact the wiki
I wonder if
- A template can be used rather than the variable? yes the following
worked
Better to keep the HTML readable, drag the attached json with two tiddlers
into some TiddlyWiki:
On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
> I don't know what made me think of this.
>
> In case this has not been brought up in a while (I doubt this is new to
>
Better to keep the HTML readable, drag this package of two tiddlers into
some TiddlyWiki:
On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
> I don't know what made me think of this.
>
> In case this has not been brought up in a while (I doubt this is new to
> seasoned
12 matches
Mail list logo