Thanks for your quick response @pmario. You cleared up many of my questions. However, if you could, could you explain the GitHub saving in more depth? For example, is the entire code file saved from the html tag onward? Or is something else used, such as the Tiddler text added to existing commits. If the latter, could you explain how (with the GitHub API) this is even possible?
On Thu, Apr 22, 2021 at 7:02 AM PMario <pmari...@gmail.com> wrote: > On Thursday, April 22, 2021 at 2:42:04 AM UTC+2 flanc...@gmail.com wrote: > ... > >> My question is this: From the TiddlyWiki GitHub saving file ( >> https://github.com/Jermolene/TiddlyWiki5/blob/master/core/modules/savers/github.js), >> it looks as if the entire wiki file (ie from html tag or similar) is placed >> inside a new commit for the user's given repo. >> > > That's right. The git-savers are still working with a "single-file" wiki. > > >> Correct me if I'm wrong, but this seems to be completely insecure. If it >> does work the way I described (.get() request to GitHub to get SHAs and >> pushing to provided filename), then what is keeping a user from inspecting >> the code (Right Click>Inspect) and adding a <script>var addedVariable = >> document.cookie;</script>, or adding TW5 saved localStorage password value >> with <script>var >> addedVariable=localStorage.getItem('PASSWORD-LocalStorageName');</script> >> and then waiting for someone with proper permissions to come through and >> save. >> > > It's not that simple to add new code to the "inspected" code view. .. It's > a viewer only. So you can't crate new HTML elements and let the browser > "execute" it. > > BUT you can add new tw plugins to the existing wiki, that is entirely held > in the browser memory. ... IF you have local access to the PC you can make > the TW save changes. .... > > BUT that's the same for every other app on the PC. So that's a completely > different "security problem" than browser security. This has to be > addressed at the OS level. Eg: Lock the system. So no other users have > access to the system in general. > > >> The way that this is working in my head (probably completely wrong) is >> that this variable would be saved as it's inside the bounds of the tag >> innerHTML, and run each time the wiki is opened. >> > > As I wrote. If I was able to install a TW plugin ... Yes. > > >> As TiddlyWiki is single-file when downloaded as empty, I can't envision a >> multi-file system where each Tiddler is saved to a different .txt file, per >> say, which is the way I would have approached this. >> > > That's exactly the same problem as a single-file system. The difference is > that it would be much harder to detect, because you have many files instead > of one. > So the problem doesn't go away, if you use an ed: nodejs. TW version. In > contrary. It's harder. > > -mario > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to tiddlywiki+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/dffd78a6-c91b-40a1-836d-b7cdbb06463bn%40googlegroups.com > <https://groups.google.com/d/msgid/tiddlywiki/dffd78a6-c91b-40a1-836d-b7cdbb06463bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CALXL%2BrMjZXJ2USkHm0gw2TEmVZBa3HnoMs5V7Dt9n3ZyDjeSNQ%40mail.gmail.com.
