As I understand this, Two key principles with Javascript and tiddlywiki are;
- It should be written to be compatible with the way tiddlywiki works, allowing tiddlywiki to refresh correctly and not break things
- It should ONLY be loaded at the load of the HTML file so if hosted online a “bad actor” can not “Inject” javascript code that can interrogate or manipulate the server or host on which it is running.
- If someone has write access to the online file they can install and reload your wiki, so you must not let anonymous and potential bad actors this ability.
You may be tempted
- Sure you may decide your wiki is local only and decide to give your wiki this ability but;
- It is easy to forget and share it with other people or put it online and now you or they have a security risk (this could damage your or tiddlywiki’s reputation).
- If you make your wiki available on the LAN or an internet connection there is now a hacker path to compromising your computer which is now a server/host.
- It is so easy to save and reload locally, so introducing Javascript the correct and legitimate way on your computer is best, even locally.
- You can also get support from the community and your work can then be safely shared with others and contribute to the community.
Finally there are other ways to reference external resources from raw system tags, iframes and HTML that accesses other resources on a host that there is no need to complicate or put at risk your tiddlywiki.
Another reason to avoid Javascript without checking with the community if there is an existing solution, is you may cause fragmentation of the solutions available. I for one often see people introducing javascript for things I can already do with the core or a well known plugin. This is a waste of their time and adds less value to tiddlywiki as a whole.
If you have javascript skills please use them to improve and enhance tiddlywiki, rather than complicate and duplicate. If your solutions are popular please don’t introduce bugs or security risks we the community will have to work to address.
- For example I have connected some Javascript modules to use cookies, and get set the window.name or html target, these are not possible in the core. happy to share.