TW wasn't built from the ground-up for mult-user, and it's definitely not how most people are using it. I'm sure products built as server-side entities (e.g. WikiMedia) have all sorts of protection against injected code.
Anyone who can write and save a tiddler can make a javascript tiddler, or a widget, or overwrite a javascript filte operator, or maybe header scripts, or maybe in-frame code. I guess you would have to think of all the ways that code could be injected and then neutralize everything that matched. But you'd have to do it before the tiddlers got written to the common pool, and you'd have to either block legitimate uses of the iframe, or figure out some way to detect that the frame doesn't contain js source code. On Tuesday, August 17, 2021 at 7:06:05 PM UTC-7 [email protected] wrote: > I am currently playing with "real-time multiplayer" capabilities for TW5, > so this is an interesting security vulnerability to be aware of. > > My primary concern was "what if a malicious user connected a > MIS-IDENTIFIED wiki to a real-time server. It has a bunch of malicious > tiddlers, and it DOES NOT have a bunch of tiddlers that exist in the server > copy." > > The real-time sync, once authenticated and authorized, would just > absoloutely wreck the server-copy of the wiki in this instance. > > Similarly, being able to some-how sync malicious javascript code, hidden > in a data-uri to the server, which will sync it to all connected users is a > concern... > > Best, > Joshua Fontany > > On Tuesday, August 17, 2021 at 10:12:13 AM UTC-7 TiddlyTweeter wrote: > >> Mark S. wrote: >> >>> That was one of the concerns with TWederation. You could import from >>> someone you trusted who imported from someone they trusted who ... actually >>> couldn't be trusted. It's kind of a hard problem. >>> >> >> *Right! *It IS an interesting issue. But *maybe as much an >> anthropological issue as a technical one. * >> Suddenly tech switches into *"HOW CAN I TRUST?" *mode. >> Despite the fact most everyone, well everyone, here (you, reading this) >> is completely trust-worthy. >> I think its a basic sociological fact that much of the internet is NOW >> premised on the idea you can't trust anyone. >> It has led to a kind of "authentication gymnastics" that makes doing some >> things very convoluted. >> >> Just rambles >> TT >> >>> >>> On Tuesday, August 17, 2021 at 8:13:42 AM UTC-7 [email protected] >>> wrote: >>> >>>> >>>>> I'd be more concerned about people being tricked into importing a >>>>> tiddler that contained code like this. >>>>> >>>> >>>> From my perspective this is the only practical concern, and once again >>>> emphasizes the need to be careful when importing content from others. >>>> >>> -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/cd5627ea-860f-4609-a680-723a297a8b9dn%40googlegroups.com.
