Folks, Just to clarify the original question and the subsequent discussion I am not talking about injecting code only responding to the parameters found on the URI.
There is already a fairly rich set of possibilities, and this is in keeping with normal website design. I am just hoping to commoditize some of these, such as responding to key=value pairs and converting them to global variables the wiki can respond to once loaded. There is the possibility of increased security by wise design by for example providing the pass phrase to a tw-receiver saving mechanism on the command line (Visible or otherwise). Thus at any point this pass phrase chan be changed at the server or not provided to the wiki so no save is possible. Once I develop my skills further I can pass other secrets that decrypts tiddlers or wikis only if another auth process supplies it. Such mechanisms should be equally as valid with node and single file wikis. It seems to me on the auth front and invocation process we have mechanisms being developed for the node wikis and single file wikis are increasingly neglected. As mario says We can send information to the core, as we did with #:safe mode. *At startup we can check the address bar if it contains "permalinks and permaviews" ... *but I want to take this further, in effect extending the info mechanism to parse the parameters and store them in tiddlers such as [prefix[$:/info/] <file:///C:/Data/TW5/Development/Scratch2.html#%24%3A%2Finfo%2Fbrowser>] providing a helper for parsing such values (safely) provides designers with a secure set of tools and discourages them from using less secure bespoke solutions, we could even build additional tests to sanitise the information provided on the URI. I hope I making myself clearer despite being somewhat of a newcomer to such methods. Regards Tony On Thursday, May 16, 2019 at 9:31:09 PM UTC+10, PMario wrote: > > On Thursday, May 16, 2019 at 12:07:10 PM UTC+2, @TiddlyTweeter wrote: > ... > >> Question: What is the way to prevent it? >> > > We don't create a mechanism, that allows to inject content from the > address bar. > > We can send information to the core, as we did with #:safe mode. > At startup we can check the address bar if it contains "permalinks and > permaviews" ... > > But we can't do stuff like: Write content to $:/config/newContent tiddler. > > That's basically it. > > -m > -- You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywikidev. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywikidev/f5f3930b-7834-454d-974b-7fc98aa98ca7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
