Interesting takeaways. As the project is still being developed, I will be working to change these (I had already identified these issues). However, the auth.js file you reference was created by me, how could it be “not trusted?”
On Thu, Apr 22, 2021 at 9:10 AM PMario <[email protected]> wrote: > On Thursday, April 22, 2021 at 1:38:35 PM UTC+2 [email protected] wrote: > >> Interesting. So what’s stopping a TW owner from injecting a malicious >> script into a tiddler? On a side note, PAT’s May be more safely stored by >> using the CryptoJS library (AES) which requires a password to decode the >> PAT. I did something similar in my repo at GitHub.com/flancast90/lockifyJS, >> which could be simply adapted. >> > > Hi, > I did have a short look at your code. .. There are several problems, that > immediately jumped into my face. > > 1st: jquery dependency. about 9000 lines of code > 2nd: crypto-js an other 3000+ lines of code > > add1) Just to use $.ajax() and $get from jquery. ... Have a closer look at > the browser fetch API > <https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which is > built into every browser now. > add2) have a closer look at the browser crypto api > <https://developer.mozilla.org/en-US/docs/Web/API/Crypto> > > At https://github.com/flancast90/lockifyJS/blob/main/Login/js/auth.js#L2 > it seems you directly load code from an untrusted source into > html.innerHTML, without any sanitation. *This is cross site scripting > <https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting> !* > That's extremely unsecure! ... Search the web for .innerHTML, code > sanitaiton and security best practice! > > See: https://developer.mozilla.org/en-US/docs/Web/Security > > Sorry, but I didn't look further. ... > > There are 3 important rules about security. > > - The less code involved, the better! > - Only use code that you really trust .... even better: That you > understand! > - Security done right is hard! > > Just my thoughts > -mario > > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/6803d010-a26c-4194-a532-445d05253118n%40googlegroups.com > <https://groups.google.com/d/msgid/tiddlywiki/6803d010-a26c-4194-a532-445d05253118n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CALXL%2BrOSMH5HPYSjCQiEPFuoY1O34D8pqUfrG1SpP%3DyWO7%3DbqA%40mail.gmail.com.
