It kind of sounds like the iFrame element should then be outright
eliminated from the web entirely.
That might be problematic.
Re security, couldn't any tiddler that is a javascript macro be altered for
nefarious purposes just as easily as injecting malicious javascript into an
iFrame?
On Monday, August 16, 2021 at 12:39:41 PM UTC-3 flanc...@gmail.com wrote:
> This seems EXTREMELY INSECURE. What is to stop an attacker from injecting
> malicious JS into a tiddler, regardless of whether it is "sandboxed".
> Paste this Proof-of-Concept into a blank tiddler. What it does it steals
> your GitHub PAT if you have it configured, and alerts it to you. While I
> have not done it here, I could easily make it both invisible and have it
> email me the PAT's it gathers.
>
> CODE:
> <$vars vSrcDoc={{{ [[<body> <div
> id="clockDiv"></div><script>document.getElementById('clockDiv').innerHTML =
> `<a id="xss" href="javascript:alert('Your GitHub Token
> is:'+localStorage.getItem('tw5-password-github')+'. If it is blank, you
> probably don\\'t have TW GitHub saving configured');"></a>`;
> document.getElementById('xss').click();</script></body>]] }}}>
> <iframe srcdoc=<<vSrcDoc>> style="border:none;width:100%;"></iframe>
> </$vars>
>
> Long-story-short, an attacker can easily bypass any sanitation TW employs,
> and harvest credentials from various sites. It is my belief that this issue
> needs to be fixed immediately, and brought to the attention of Jeremy and
> other devs.
>
> I would be happy to help on the repair process. I have some experience
> with PenTesting and fixing XSS vulnerabilities (mainly in my own
> applications). I would recommend adding a listener to TW changes, and
> checking for an iframe code. If it does contain this, TW should add a
> sandbox constraint on it (
> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
> )
>
> On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote:
>
>> Updated one of the tiddlers in the JSON package. New version attached.
>>
>> The addition highlighted below:
>>
>> <body>
>> <div id="clockDiv"></div>
>> <script>
>> *document.oncontextmenu = function() { *
>> * return false; *
>> *};*
>> let clockEl = document.getElementById("clockDiv");
>> ...
>>
>> The reason for the added code: block access to the back button in the
>> iFrame (by blocking access to the entire menu), which winds up performing
>> the back button operation on the entire browser page.
>> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
>>
>>> I don't know what made me think of this.
>>>
>>> In case this has not been brought up in a while (I doubt this is new to
>>> seasoned folk) ...
>>>
>>> I was thinking: could I use an iFrame to include simple javascript in a
>>> tiddler without getting into macros or plugins that enable javascript.
>>>
>>> And, if I could, then could I set things up so that the iFrame is
>>> showing javascript dynamically created by the tiddler ?
>>>
>>> So here is a way to show a digital clock in TiddlyWiki, for
>>> non-programmers who just want to copy and paste javascript code from the
>>> web without figuring out how the javascript code works :
>>>
>>> Put this in a brand new tiddler:
>>>
>>> *<$vars* *vSrcDoc*={{{ [[<body> <div id="clockDiv"></div> <script>
>>> let clockEl = document.getElementById("clockDiv"); function
>>> getClockTime() { let date = new Date(); let hr =
>>> date.getHours(); let min = date.getMinutes(); let sec =
>>> date.getSeconds(); hr = ("0" + hr).slice(-2); min = ("0" +
>>> min).slice(-2); sec = ("0" + sec).slice(-2); clockEl.innerHTML =
>>> `${hr}:${min}:${sec}`; } setInterval(getClockTime, 1000);
>>> </script></body>]] }}}*>*
>>> *<iframe* srcdoc=*<<vSrcDoc>>* style="border:none;width:100%;"
>>> *></iframe>*
>>> *</$vars>*
>>>
>>> Sneaky sneaky, has me wondering what kind of other fun things could be
>>> done...
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/f03f0c64-d6b0-471c-9e6b-4c581498d733n%40googlegroups.com.
