Hi Jeremy,
This seems a major cutback.and as such is really bad news.
Does that mean that none of what we call transclusions these days will
work in TiddlySpace?!?
Would it be reasonalbe to ask for an ability to allow users to turn on
"insecure mode"?
Why not simply handle transclusions like plugins instead... security-
wise? Meaning: to require a standard tag indicating that something is
a transclusion which only then allows for parameter
evaluation ...otherwise not. There really should be no diffference in
managing transclusions or plugins as both contain executable code.
I understand the concerns, but I think it were better to advise users
on their responsibility as to "know" what they include and to improve
a user's ability to evaluate the reliability or stability of such
content by seeing user votes on these things or knowing trustworthy
authors, etc.
I also understand that anything {{eval}} presents possible security
issues. But, would you mind explaining precisely how malicious users
can hijack another users space?
How is disallowing parameter evaluation not just but one of a of a
myriad of (potential) security problems and therefore maybe not worthy
restricting as there is plenty more, equally exploitable room for
manipulation?
Of course, no client-side manipulation should be able to compromise
the server, but (potentially) only a user's data instead.
This issue feels to me like - yet again - (maybe just a false sense
of) security comes at the cost of utterly restricting degrees of
freedom... which I most always tend to find rather unfortunate.
So here is my vote for a policy that reads like this: "Put plugins and
transclusions on an equal standing while letting users decide on how
secure they need their spaces and contents to be (or user managers on
the security level of members in the user group they are to
manage ...if something like that should ever be developped.)"
Kind regards, Tobias.
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To post to this group, send email to tiddlyw...@googlegroups.com.
To unsubscribe from this group, send email to
tiddlywiki+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/tiddlywiki?hl=en.
