Hello! I’m new to Twine, and to coding in general. I’ve spent a couple days reading and watching tutorials, but I wish I could get my hands on the code of full working games. If I could SEE everything working together and how it all connects, I feel like a lot of these concepts would not be so alien then.
Anyone know of a database where people open-source their interactive fiction projects? Something I can either download and open in Twine or a step by step guide detailing the work process?
I just searched on IFDB.org for anything with the “twine source available” tag and got this list; not sure if it lines up with the formats you’re interested in, or if there are other places to look, but maybe it’s a start?
People don’t share their source for twine because it’s thankfully not necessary. If you choose “import from file” and load the html of the game into twine, the entire game project will be made available for you including its source and original tile positions.
Thank you for all the replies! So I’ve been trying to import a .html file. I’ve downloaded a handful but can’t seem to import the .html OR the .tws
I’ve tried opening them in both Twine and Twine 2. It gives me a buffer symbol and then nothing.
Am I missing a step or downloading the wrong thing perhaps?
Strange. Does this one work? That’s the one I tested it with. It’s supposed to work with all of them, but I haven’t tested it with that many.
You should also be able to do it with tweego, which is a command line compiler. You can load the game using that and convert it to a twine archive ready to be imported into twine. But it really shouldn’t be necessary to do that.
(1) the file internally contains a Python pickle, so if your Python programming skills are advanced enough you may be able to extract the Passages contained within that file using some other means than the Twine 1.x application.
Isn’t this inherently insecure? The Python manual says never to load pickle data from an untrusted or unverified source.
I guess my real concern is that trusting a Python pickle to run on your system is different from trusting JavaScript or WebAssembly to run in-browser because pickles can contain executable Python code, and it seems like that may be a way to break out of what sandboxing that browsers do by default.
(Apologies for taking the topic in a different direction. I’m happy to move this to another thread if it starts to derail the main discussion.)
You can just use regular regexp instead of dealing with pickle stuff. It’s not like the source is compressed or anything.
I used something like this in my markdown converter app.
var unencode = function(text) {
text = text.replace(/\\"/g, '"');
text = text.replace(/\\'/g, "'");
text = text.replace(/"/gi, '"');
text = text.replace(/&/gi, '&');
text = text.replace(/</gi, "<");
text = text.replace(/>/gi, ">");
return text;
};
var entries = [];
var passages = source.match(/<tw-passagedata[^<]+<\/tw-passagedata>/g);
if (passages === null) throw new Error("Not a valid twine export HTML file.");
for (let passage of passages) {
let data = passage.match(/[^n]+name="((?:\\"|[^"])+)"[^>]*>((?:<(?!\/tw-passagedata)|[^<])+)<\/tw-passagedata>/);
if (data === null) continue;
let title = unencode(data[1].trim());
let text = data[2].trim();
text = unencode(text);
entries.push({"title": title, "text": text});
}
entries will be an array containing objects structured like this:
[
{
title: "passage one",
text: "This is the text of the first passage."
},
{
title: "passage two",
text: "This is the text of the second passage."
}
]
This is all true, but I think I was unclear about the question I was asking. I guess that what I really meant was “Doesn’t this imply that there are published Twine games in the wild that are vulnerable to this kind of exploit?”
Nah. A pickle is basically python’s version of JSON.
From the docs:
- Unlike pickle, deserializing untrusted JSON does not in itself create an arbitrary code execution vulnerability.
First, I’m not even sure how the pickle comes into play since the data isn’t stored as JSON-like format. It’s stored more like XML.
<tw-story name="My Story">
<tw-passagedata name="first passage">
The is the fist passage.
</tw-passagedata>
</tw-story>
And nothing in Twine runs python, so the pickle thing is kind of moot. I think Greyelf was just suggesting it for parsing.
But second, the big difference between python and JS is that python has system level access and JS only has browser level access. People always freak out about running the eval() command in JS, but literally the worst it can do on the client side is add a bookmark and change your home page.
In the current 2.* version of Twine yes, but Twine 1.* had a different .tws format for unpublished works which used pickle.
Maybe, but the format doesn’t seem to be used anymore and, more importantly, the format was only used for works in progress and not for published games. The risk wouldn’t be in playing games in the browser, it is in downloading an untrusted game’s source (the .tws file) and opening it in Twine 1.*.
Ah. Thank you for that. I haven’t messed with Twine 1 much (I came in with Twine 2) so I just assumed that the storing of its format used the XML-like data similar to how Twine 2 and TiddlyWiki do, since it’s based off TiddlyWiki. But maybe TiddlyWiki also used to use pickle data. I don’t know the history of that system either.
Thank you for all the help guys! I have found a handful of games whose .html file did run in Twine. It’s a tremendous help to look at how a game functions from start to finish.
Thank you again
A published / released story HTML file uses such a structure to store the Passage meta-data that the story format’s engine uses as its data-source, however the meta-data area within the story HTML file generated by the Twine 1.x application is structurally different to that generated by the Twine 2.x application. And this structural difference is why you can’t directly import the story HTML file generated by one of the two “Twine” applications into the other.