1
0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2024-12-29 11:30:28 +00:00
TiddlyWiki5/editions/tw5.com/tiddlers/hiddensettings/Hidden Setting HtmlParserDisableSandbox.tid
jeremy@jermolene.com dbfd45814d Search and replace "v5.1.24" to "v5.2.0"
As discussed in #5708
2021-07-14 09:21:37 +01:00

14 lines
1.2 KiB
Plaintext

created: 20210411100148461
modified: 20210411100148461
tags: [[Hidden Settings]]
title: Hidden Setting: HTML Parser Sandbox
type: text/vnd.tiddlywiki
<<.from-version "5.2.0">> By default, tiddlers with the type `text/html` are displayed in an iframe with the [[sandbox attribute|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox]] set to the empty string. This causes all security restrictions to be applied, disabling many features such as JavaScript, downloads and external file references. This is the safest setting.
To globally disable the sandbox, set the tiddler $:/config/HtmlParser/DisableSandbox to `yes`. This will mean that the code in the iframe has full access to TiddlyWiki's internals, which means that a malicious HTML page could exfiltrate data from a private wiki.
To keep the sandbox but control which restrictions are applied, ensure that $:/config/HtmlParser/DisableSandbox is not set to `yes`, and then set $:/config/HtmlParser/SandboxTokens to the desired list of tokens [[from the MDN documentation|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox]].
Note that these are global settings. To control the sandboxing on an individual tiddler basis will require a custom `<iframe>` to be used.