> Would something like the following make it more secure, or is it just
> a lame attempt.
> removeElementWhen( eval('var eval;' + paramString), place);
> It would make simple things possible:
> <div macro="hideWhen tiddler.title == 'New Tiddler' ">
> but
> <div macro="hideWhen eval('evil code') ">
> will fail.
This won't add any security at all. The macro is using eval() to
process the paramString as code. It doesn't need to use eval()
*within* that code to do evil things. ANY code processed by
<<hideWhen>> can do evil things:
<div macro="hideWhen evil code">
is sufficient to invoke arbitrary code, which won't be prevented by
your proposed change.
The only way to truly secure the plugin is to avoid using eval()
*everywhere* in the code. Then, we could write a simple parser that
processes a restricted syntax consisting of ONLY simple variable
references (e.g., tiddler.title, config.options.txtUserName, etc.),
comparison operators (e.g., "==", "!=", ">", "<") and literal values
(e.g., "SomeTitle", "MyUserName").
-e
--
You received this message because you are subscribed to the Google Groups
"TiddlyWikiDev" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/tiddlywikidev?hl=en.
