On Wednesday, July 24, 2019 at 12:44:47 PM UTC+2, Mat wrote: ... > To what extent is JSON content sandboxed? >
JSON (JavaScript Object Notation) is just a data format. .. So as long as you don't execute, executable content, nothing happens. ... BUT it's *not *a sandbox. > I.e can harmful tiddlers that are packaged up as JSON still be harmful > when in the JSON format? > If a JSON tiddler contains the right structure _and_ type fields. eg: "type": "application/javascript", Tiddlywiki will interpret it as a plugin. If you import the content, save and reload the page it will be activated. ... Then it can do harm! For TW the same rules apply as for any other content from the web. *Don't install stuff from sources, you don't trust.* This is really important, since with tiddlywiki, we don't have any signing mechanism in place, where a user could verify, if a plugin source has be modified. ... -m -- You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywikidev/5b0d857c-c49b-459a-bdb0-954e849f3351%40googlegroups.com.
