Hi,
I understand the issue, and totally agree, that it is/will be needed.
But a little bit more time to fix/adjust existing spaces, would have
been nice.
-m
PS: The following page template definition still seems to work.
<div macro='hideWhen {{
var tid=store.getTiddler("CSidebarTools");
tid.tags.contains("hide");}}'>
<div id='sidebarTools' class='box' refresh='content' force='true'
tiddler='CSidebarTools'></div>
</div>
On Sep 21, 6:01 pm, Jeremy Ruston <[email protected]> wrote:
> It's worth drawing attention to a recent change we've made to the
> TiddlySpace core that will soon filter out to tiddlyspace.com:
>
> http://github.com/TiddlySpace/tiddlyspace/commit/90730c3fbc23fc597836...
>
> The change disables the use of TiddlyWiki's computer macro parameters
> within TiddlySpace. This means that macros that use computed
> JavaScript parameters like this will no longer work:
>
> <<tiddler {{tiddler.title + "_notes"}}>>
>
> The change is part of a range of measures that we need to take to make
> TiddlySpace more secure.
>
> The fundamental issue is that TiddlySpace is an environment for
> sharing both code and content. The ability for users to share code is
> powerful, and one of the things that I think has led to TiddlyWiki's
> success. But it can also present dangers, particularly in the hands of
> the malicious or the inexperienced.
>
> For example, a malicious user could entice users to include a space
> that includes code that "steals" the users private data and sends it
> back to the attacker.
>
> In a system that is designed for sharing code we don't believe that
> this problem can be solved entirely within the technical domain. The
> intention instead is to also address it in the social domain, such
> that users will be able to use the social features of TiddlySpace to
> discover spaces and plugins that are safe to use.
>
> However, there are still technical steps that need to be taken in
> order for that to work. In particular, the system needs to be able to
> identify all the vectors through which a malicious attacker could
> inject malicious code into a space.
>
> It's straightforward to detect plugins by looking for the systemConfig
> tag. Accordingly, future versions of TiddlySpace will enable users to
> optionally filter out plugins when they include a space. Less obvious
> vectors include:
> - Computed macro parameters
> - <script> tags and event handlers within <HTML> blocks
>
> We'll address the latter problem soon, but we felt that it was worth
> drawing this change to everyone's attention now, and encourage people
> to prepare for TiddlySpace by exploring alternative approaches.
>
> Cheers
>
> Jeremy
>
> --
> Jeremy Ruston
> mailto:[email protected]://www.tiddlywiki.com
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/tiddlywiki?hl=en.
