On Thursday, April 22, 2021 at 1:38:35 PM UTC+2 [email protected] wrote: > Interesting. So what’s stopping a TW owner from injecting a malicious > script into a tiddler? On a side note, PAT’s May be more safely stored by > using the CryptoJS library (AES) which requires a password to decode the > PAT. I did something similar in my repo at GitHub.com/flancast90/lockifyJS, > which could be simply adapted. >
Hi, I did have a short look at your code. .. There are several problems, that immediately jumped into my face. 1st: jquery dependency. about 9000 lines of code 2nd: crypto-js an other 3000+ lines of code add1) Just to use $.ajax() and $get from jquery. ... Have a closer look at the browser fetch API <https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which is built into every browser now. add2) have a closer look at the browser crypto api <https://developer.mozilla.org/en-US/docs/Web/API/Crypto> At https://github.com/flancast90/lockifyJS/blob/main/Login/js/auth.js#L2 it seems you directly load code from an untrusted source into html.innerHTML, without any sanitation. *This is cross site scripting <https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting> !* That's extremely unsecure! ... Search the web for .innerHTML, code sanitaiton and security best practice! See: https://developer.mozilla.org/en-US/docs/Web/Security Sorry, but I didn't look further. ... There are 3 important rules about security. - The less code involved, the better! - Only use code that you really trust .... even better: That you understand! - Security done right is hard! Just my thoughts -mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/6803d010-a26c-4194-a532-445d05253118n%40googlegroups.com.
