I also think, that erics transclusions should be treated like plugins.
And I also think, this can be achieved.
1) But "server side".
2) As you can see that "not executing" evaluated parameters
clientside doesn't add any security to tiddlyspace. As Tobias has
shown with his quick eval hack.
====
Some thoughts about 1)
Hash the content, and compare against a "plugin whitelist", when the
tiddler is saved.
If it doesn't pass the test, it can be _private_ only.
So I can use and test it until it passes the test.
A private malicious tiddler can only effect space members. But as a
owner of a space I'd only make someone a member, if I trust her or
him. The server could tag a private tiddler "test not passed". So
members can easily find them and togehter make them pass the "approved
for public use" tests.
There is the question. How to get a "plugin white listed"
I think this should be discussed at TiddlyWeb or Dev group.
====
There has been some dicussion about the target group, that uses/should
use TiddlySpace.
a) As a default user (80%) I'd want to write text.
Make it public.
Done.
b) As an advanced user (15%) I'd want to write something like:
<<tiddler {{tiddler.title + "_notes"}}>> or
<<tiddler {{"[["+tiddler.title+"_notes]]"}}>>
I think some server side white list filter can see that this should be
allowed.
Done.
c) As a programmer (5%) I should be able to write code, that can be
"approved for public use".
And how to get "white listed" should imho be discussed at TiddlyWeb or
TiddlyWikiDev group
d) may be there is a better solution for b) so it can be added to a)
-mario
On Sep 22, 6:08 pm, Tobias Beer <[email protected]> wrote:
> Hi Martin,
>
> I think Eric's transclusions provide awill fairly good benchmark as to
> what others might as well (want to) accomplish and thus require
> parameter evaluation.
>
> As I said, these transclusions essentially are like plugins and from
> my point of view should be treated in the context of security measures
> on TiddlySpace just like anything tagged systemConfig ...in the case
> that parameter evaluation is being used in a transclusion.
>
> Cheers, Tobias.
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/tiddlywiki?hl=en.
