On Tuesday, August 17, 2021 at 9:53:28 AM UTC-5 [email protected] wrote: > Mark, > > The scenario I had in mind was: Person A (attacker), adds malicious code > to his TW instance, which is accessible via the web through GitHub pages, > or something similar. He then shares his wiki link with Person B, who > unknowingly goes to take a look at Person A's wiki. On doing this, Person B > then has this malicious JS execute on his end, thereby hacking/infecting > him. >
I'm still confused about this scenario. If we're not talking about inserting the code into someone else's wiki via XSS or something, how does TiddlyWiki allow anything here that an arbitrary website wouldn't? If a malicious user can post a page on the web and make the target go to it, then surely anything that a browser allows is fair game, and if there's fault here it should lie with the web browser, not TiddlyWiki. Because even if TW changed to disallow this, surely the malicious user could just revert that change in their own fork of TiddlyWiki and build their malicious wiki on that TW edition? I'd be more concerned about people being tricked into importing a tiddler that contained code like this. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/6b8a8e85-5545-4812-a266-b4fdffbe9937n%40googlegroups.com.
