Using: http://mptw.tiddlyspot.com/#HideWhenPlugin with TS introduces
a security issue, because of the eval() used.
Would something like the following make it more secure, or is it just
a lame attempt.
merge(config.macros,{
hideWhen: { handler:
function(place,macroName,params,wikifier,paramString,tiddler) {
var clearInterval, clearTimeout, document, event, frames,
history,
Image, location, name,
navigator, Option, parent, screen, setInterval,
setTimeout, window,
XMLHttpRequest, Function,
jQuery, TiddlyWiki = undefined;
removeElementWhen( eval('var eval;' + paramString), place);
}},
....
It would make simple things possible.
eg:
<html>
<div macro="hideWhen tiddler.title == 'New Tiddler' "> adsfasdf </
div>
</html>
but
<html>
<div macro="hideWhen eval('evil code') "> adsfasdf </div>
</html>
will fail.
-m
--
You received this message because you are subscribed to the Google Groups
"TiddlyWikiDev" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/tiddlywikidev?hl=en.
