Whoops, just realized my mistake: only the creator of the TiddlyWiki or someone with the correct PAT can save. I guess my real question is if TiddlyWiki does save by html tag, or if it grabs the values of Tiddlers individually and safely adds this code into the existing repo file. If so, how is this possible? It would seem like the GitHub API does not allow you to use existing code and just add new content in.
On Wed, Apr 21, 2021 at 8:42 PM Finn Lancaster <[email protected]> wrote: > > Hello, > I had a random thought pop in my head about TiddlyWiki GitHub saving > security the other day, and couldn't think of my own solution, so I thought > I'd ask. > > My question is this: From the TiddlyWiki GitHub saving file ( > https://github.com/Jermolene/TiddlyWiki5/blob/master/core/modules/savers/github.js), > it looks as if the entire wiki file (ie from html tag or similar) is placed > inside a new commit for the user's given repo. > > Correct me if I'm wrong, but this seems to be completely insecure. If it > does work the way I described (.get() request to GitHub to get SHAs and > pushing to provided filename), then what is keeping a user from inspecting > the code (Right Click>Inspect) and adding a <script>var addedVariable = > document.cookie;</script>, or adding TW5 saved localStorage password value > with <script>var > addedVariable=localStorage.getItem('PASSWORD-LocalStorageName');</script> > and then waiting for someone with proper permissions to come through and > save. > > The way that this is working in my head (probably completely wrong) is > that this variable would be saved as it's inside the bounds of the tag > innerHTML, and run each time the wiki is opened. As TiddlyWiki is > single-file when downloaded as empty, I can't envision a multi-file system > where each Tiddler is saved to a different .txt file, per say, which is the > way I would have approached this. > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/bd7284b4-861a-42c5-be25-d77a6eacdc98n%40googlegroups.com > <https://groups.google.com/d/msgid/tiddlywiki/bd7284b4-861a-42c5-be25-d77a6eacdc98n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CALXL%2BrMEqb07egvghb2krbehfvAq-HvWwuCmNPNbv%3DjGBFmtiQ%40mail.gmail.com.
