Hi Steve, On the topic of your first point, TiddlySpot PHP... TiddlySpot uses a program on the server to save the Tiddlywiki file. When you press the save button on your tiddlywiki, it makes a call to the server side program to save itself on the server.
The team is saying they need to review the server side script, apparently written in PHP. I reviewed a variation of that script. In my opinion the version I reviewed is adequate for a hobby site. I would want a lot of enhancements to it for anything serious (but that's just my opinion). On the second point, there are really 2 issues in the one point. First is that anyone with access to save a tiddlywiki on your site could modify the javascript that makes tiddlywiki work. Since tiddlywiki is giving you the ability to edit the javascript within the tiddlywiki, it is easy for anyone who has access to it to modify and save it so that it affects the next person to view the tiddlywiki. Second is the issue of cross-site-scripting (XSS). That is, because the core of tiddlywiki can be modified by anyone who can save a tiddlywiki, they can have it call outside scripts (this is how things like the discus plugin work). The problem is, like the first part, once one person modifies it, it is affected by everyone else who uses the tiddlywiki. In summary, tiddlywiki requires a very high level of trust in everyone who can edit a tiddlywiki document. As such, it may not be appropriate for environments where you shouldn't place a high level of trust in your users. Like say the students at a University. The node.js version of Tiddlywiki might be a bit better in addressing the above, but it would still need to prevent the users from saving any javascript. On Thursday, February 21, 2019 at 9:47:20 AM UTC-5, [email protected] wrote: > > Hello old friends, > > I'm working with the CIO at my University to see if it is possible to > serve tiddlywiki files on our Web site. > > These are two concerns that have been raised: > > > - Adding the TiddlySpot PHP script to enable rewriting from the > browser is a potential security vulnerability that needs to be thoroughly > vetted by the web team. > - Exposing core JS files that can be publicly edited and have changes > applied from the browser is a potential XSS vulnerability. > > > Not sure what the first means ("TiddlySpot PHP" script - I had sent him a > wiki served on TiddlySpot as an example of a page I wanted to host on our > site). Could I eliminate that by building wikis from scratch on the > desktop, or using TiddlyDesktop, or even on google drive? > > The second - any thoughts? Can changes to the JS be applied from the > browser? > > (Is this question better asked in the TiddlyWiki dev group > <https://groups.google.com/forum/#!searchin/TiddlyWikiDev/xss%7Csort:date> > -- a place I've always feared entering... :)? > > Thanks for your help! > > //steve. > > > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/035afca9-0b46-4dd2-8365-e0256951137e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
