On Thursday, April 22, 2021 at 2:42:04 AM UTC+2 [email protected] wrote: ...
> My question is this: From the TiddlyWiki GitHub saving file ( > https://github.com/Jermolene/TiddlyWiki5/blob/master/core/modules/savers/github.js), > > it looks as if the entire wiki file (ie from html tag or similar) is placed > inside a new commit for the user's given repo. > That's right. The git-savers are still working with a "single-file" wiki. > Correct me if I'm wrong, but this seems to be completely insecure. If it > does work the way I described (.get() request to GitHub to get SHAs and > pushing to provided filename), then what is keeping a user from inspecting > the code (Right Click>Inspect) and adding a <script>var addedVariable = > document.cookie;</script>, or adding TW5 saved localStorage password value > with <script>var > addedVariable=localStorage.getItem('PASSWORD-LocalStorageName');</script> > and then waiting for someone with proper permissions to come through and > save. > It's not that simple to add new code to the "inspected" code view. .. It's a viewer only. So you can't crate new HTML elements and let the browser "execute" it. BUT you can add new tw plugins to the existing wiki, that is entirely held in the browser memory. ... IF you have local access to the PC you can make the TW save changes. .... BUT that's the same for every other app on the PC. So that's a completely different "security problem" than browser security. This has to be addressed at the OS level. Eg: Lock the system. So no other users have access to the system in general. > The way that this is working in my head (probably completely wrong) is > that this variable would be saved as it's inside the bounds of the tag > innerHTML, and run each time the wiki is opened. > As I wrote. If I was able to install a TW plugin ... Yes. > As TiddlyWiki is single-file when downloaded as empty, I can't envision a > multi-file system where each Tiddler is saved to a different .txt file, per > say, which is the way I would have approached this. > That's exactly the same problem as a single-file system. The difference is that it would be much harder to detect, because you have many files instead of one. So the problem doesn't go away, if you use an ed: nodejs. TW version. In contrary. It's harder. -mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/dffd78a6-c91b-40a1-836d-b7cdbb06463bn%40googlegroups.com.
