It's worth drawing attention to a recent change we've made to the TiddlySpace core that will soon filter out to tiddlyspace.com:
http://github.com/TiddlySpace/tiddlyspace/commit/90730c3fbc23fc597836dabb336ceb32ce6c895a The change disables the use of TiddlyWiki's computer macro parameters within TiddlySpace. This means that macros that use computed JavaScript parameters like this will no longer work: <<tiddler {{tiddler.title + "_notes"}}>> The change is part of a range of measures that we need to take to make TiddlySpace more secure. The fundamental issue is that TiddlySpace is an environment for sharing both code and content. The ability for users to share code is powerful, and one of the things that I think has led to TiddlyWiki's success. But it can also present dangers, particularly in the hands of the malicious or the inexperienced. For example, a malicious user could entice users to include a space that includes code that "steals" the users private data and sends it back to the attacker. In a system that is designed for sharing code we don't believe that this problem can be solved entirely within the technical domain. The intention instead is to also address it in the social domain, such that users will be able to use the social features of TiddlySpace to discover spaces and plugins that are safe to use. However, there are still technical steps that need to be taken in order for that to work. In particular, the system needs to be able to identify all the vectors through which a malicious attacker could inject malicious code into a space. It's straightforward to detect plugins by looking for the systemConfig tag. Accordingly, future versions of TiddlySpace will enable users to optionally filter out plugins when they include a space. Less obvious vectors include: - Computed macro parameters - <script> tags and event handlers within <HTML> blocks We'll address the latter problem soon, but we felt that it was worth drawing this change to everyone's attention now, and encourage people to prepare for TiddlySpace by exploring alternative approaches. Cheers Jeremy -- Jeremy Ruston mailto:[email protected] http://www.tiddlywiki.com -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/tiddlywiki?hl=en.
