Why not? If you can add tiddler text to a txt file, any HTML code will not run. It is then much easier to call this plaintext back safely. Why is this just as insecure as a single file solution, then?
On Thu, Apr 22, 2021 at 7:38 AM Finn Lancaster <[email protected]> wrote: > Interesting. So what’s stopping a TW owner from injecting a malicious > script into a tiddler? On a side note, PAT’s May be more safely stored by > using the CryptoJS library (AES) which requires a password to decode the > PAT. I did something similar in my repo at GitHub.com/flancast90/lockifyJS, > which could be simply adapted. > > On Thu, Apr 22, 2021 at 7:25 AM PMario <[email protected]> wrote: > >> On Thursday, April 22, 2021 at 12:40:43 PM UTC+2 [email protected] >> wrote: >> >>> Whoops, just realized my mistake: only the creator of the TiddlyWiki or >>> someone with the correct PAT can save. >>> >> >> That's right. ... And there actually is a problem, that worried me at >> the beginning and it still does >> <https://github.com/Jermolene/TiddlyWiki5/issues/4525>. The existing TW >> code, stores the PAT in plain text in the browser local storage. .. That >> means, if I do have access to your PC it will probably take 10 seconds for >> me to get your github access token. ... I'll need a mobile phone to make >> photo. >> >> >>> I guess my real question is if TiddlyWiki does save by html tag, or if >>> it grabs the values of Tiddlers individually and safely adds this code into >>> the existing repo file. If so, how is this possible? It would seem like the >>> GitHub API does not allow you to use existing code and just add new content >>> in. >>> >> >> As I wrote. Using several files, doesn't make it more secure. ... Only >> more complex. >> >> -------------- >> >> I think the discussion at github came to this conclusion. >> >> A more secure workflow can look like this. >> >> - The PAT is encrypted and stored to the local storage >> - The user opens the wiki and views it. >> - The PAT isn't needed. So nothing happens. >> >> - The user wants to save back to github >> - A (to be made) dialogue asks for the password to decrypt the PAT ... >> see [1] >> - PAT is decrypted and used to save >> - Decrypted PAT in memory is thrown away immediately >> >> [1] As written at the github issue, it's should be possible to use a >> browser AddON, that let's you "autofill" the password-form. >> The AddOn may also have a dialogue with a "master - PW" >> >> So ... We trade convenience for security. >> >> have fun! >> mario >> >> -- >> You received this message because you are subscribed to the Google Groups >> "TiddlyWiki" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/tiddlywiki/2651a6ad-3672-4427-b03c-d151bb02ab0en%40googlegroups.com >> <https://groups.google.com/d/msgid/tiddlywiki/2651a6ad-3672-4427-b03c-d151bb02ab0en%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CALXL%2BrOekAABSndM6XVfidQfX8FT9B76angNoz9fv8LGnEqnSA%40mail.gmail.com.
