On Thursday, February 21, 2019 at 6:47:20 AM UTC-8, st...@sunypoly.edu wrote: > > I'm working with the CIO at my University to see if it is possible to > serve tiddlywiki files on our Web site. > These are two concerns that have been raised: > > - Adding the TiddlySpot PHP script to enable rewriting from the > browser is a potential security vulnerability that needs to be thoroughly > vetted by the web team. > - Exposing core JS files that can be publicly edited and have changes > applied from the browser is a potential XSS vulnerability. > > If all you want to do is "serve tiddlywiki files"... then it is really no different than hosting any other regular HTML file on the server. Without adding any additional server-side scripts (which could impact on existing security protocols), you would simply upload an HTML file to the server using whatever method is currently in place and approved by the University.
The entire uploaded TW is then simply delivered to the brower just like any other HTML file, and the javascript executes completely within the client-side browser, which runs in a locked-down sandbox environment that is not permitted to peform local file I/O. The user CAN make changes in the TW and save them to a **local file** by using the default "download saver". However, this does NOT create anything new *on the server* and opening the locally-saved TW file will still be secure since it is locked-down in the browser's sandbox environment. -e -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/38191b28-aec4-4af8-9a55-999763b79c3c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
