From 89546b3357b0696a7047e6915bd6cd137b589de6 Mon Sep 17 00:00:00 2001 From: "jeremy@jermolene.com" Date: Sun, 11 Apr 2021 10:10:16 +0100 Subject: [PATCH] Add a hidden setting to control HTML sandboxing --- core/modules/parsers/htmlparser.js | 6 ++++-- .../Hidden Setting HtmlParserDisableSandbox.tid | 13 +++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 editions/tw5.com/tiddlers/hiddensettings/Hidden Setting HtmlParserDisableSandbox.tid diff --git a/core/modules/parsers/htmlparser.js b/core/modules/parsers/htmlparser.js index 39b0c21df..206ab9c78 100644 --- a/core/modules/parsers/htmlparser.js +++ b/core/modules/parsers/htmlparser.js @@ -23,10 +23,12 @@ var HtmlParser = function(type,text,options) { type: "element", tag: "iframe", attributes: { - src: {type: "string", value: src}, - sandbox: {type: "string", value: ""} + src: {type: "string", value: src} } }]; + if($tw.wiki.getTiddlerText("$:/config/HtmlParser/DisableSandbox","no") !== "yes") { + this.tree[0].attributes.sandbox = {type: "string", value: $tw.wiki.getTiddlerText("$:/config/HtmlParser/SandboxTokens","")}; + } }; exports["text/html"] = HtmlParser; diff --git a/editions/tw5.com/tiddlers/hiddensettings/Hidden Setting HtmlParserDisableSandbox.tid b/editions/tw5.com/tiddlers/hiddensettings/Hidden Setting HtmlParserDisableSandbox.tid new file mode 100644 index 000000000..47f19b2cd --- /dev/null +++ b/editions/tw5.com/tiddlers/hiddensettings/Hidden Setting HtmlParserDisableSandbox.tid @@ -0,0 +1,13 @@ +created: 20210411100148461 +modified: 20210411100148461 +tags: [[Hidden Settings]] +title: Hidden Setting: HTML Parser Sandbox +type: text/vnd.tiddlywiki + +<.from-version "5.1.24">> By default, tiddlers with the type `text/html` are displayed in an iframe with the [[sandbox attribute|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox]] set to the empty string. This causes all security restrictions to be applied, disabling many features such as JavaScript, downloads and external file references. This is the safest setting. + +To globally disable the sandbox, set the tiddler $:/config/HtmlParser/DisableSandbox to `yes`. This will mean that the code in the iframe has full access to TiddlyWiki's internals, which means that a malicious HTML page could exfiltrate data from a private wiki. + +To keep the sandbox but control which restrictions are applied, ensure that $:/config/HtmlParser/DisableSandbox is not set to `yes`, and then set $:/config/HtmlParser/SandboxTokens to the desired list of tokens [[from the MDN documentation|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox]]. + +Note that these are global settings. To control the sandboxing on an individual tiddler basis will require a custom `