On Thursday, February 6, 2020 at 3:54:34 PM UTC+1, Mark S. wrote: > > Is it possible the "receiving" portion of this plugin could make it into > the core, so that any TW could receive tiddlers? >
In a recent post <https://groups.google.com/d/msg/tiddlywiki/21BnNYG30eM/iClNnJ5EBAAJ>, Jeremy pointed out, that the receiving part of the plugin *is* a "cross site scripting" attack vector. .. Without the need to use executable code. On Thursday, February 6, 2020 at 12:29:21 AM UTC+1, Jeremy Ruston wrote: > ... > >> For example, I could craft a link to tiddlywiki.com that changes the >> wiki so that the download button downloads malware. It's actually a 'cross >> site scripting' attack. >> > More info at Wikipedia: https://en.wikipedia.org/wiki/Cross-site_scripting The usecase you describe allows everyone to impersonate every existing plugin. It will be easy to create an evil copy of a plugin and post it within a link. With this link you want to point to a 3rd party but "friendly" tiddlywiki edition, that will in turn allow a naive user to download maleware from a 4th party site. The cool thing now is, that the "friendly" repository will get all the fame and will probably be blocked by its hosting agency. ... That's a very nice move! I'd really like to enable this behavioural pattern for all of my sites. ... Jokes aside. I think with this "functionality" tiddlywiki will easily make it into every browsers black list. having not much fun atm -mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/8b088a6b-2720-426e-b4ba-f0e2d882ba61%40googlegroups.com.
