A Big TimelineJS Update That You Shouldn’t Even Notice

Today we’re releasing a new version of TimelineJS, but most of you shouldn’t even notice a difference.

We make updates to TimelineJS periodically, and we usually don’t say much about it, partly because people who publish timelines using our embed tool are automatically updated to the new version—there’s nothing they need to change. That includes this new release. However, in this case, we thought it was worthwhile posting for two related reasons.

First, this release is in response to a security vulnerability in previous versions of TimelineJS. For an attacker to take advantage of this vulnerability, they must be able to edit your Google Sheets document, or whatever data source you use for your timeline. (Please note: you should never set your timeline spreadsheets to “anyone with the link can edit.”) We believed that creators would already be taking responsibility for who could edit their timelines, and so considered it an acceptable risk. However, earlier this year, we were contacted by security researcher Zander Work, who argued that there was enough risk of either people accidentally leaving their timelines editable, or by an “internal bad actor” taking advantage of the vulnerability. (We’ll say this again: you should never, ever, set your timeline spreadsheets to “anyone with the link can edit.”)

The security issue is an exposure to “cross-site scripting” attacks, also known as XSS attacks. These attacks take advantage of systems that pass through maliciously crafted HTML to a reader’s browser. For some fields, TimelineJS allows users to use HTML markup, intended for formatting and links. Until now, we did not check that markup, because we wanted people to have maximum flexibility in creating their timelines. With the new release, HTML markup in Google Sheets cells (or any other timeline data source) is “sanitized” to remove potentially risky markup, while known “safe” markup is passed through. The most common markup is generally passed through unchanged, but there’s a small chance that some of the HTML you are using is now stripped. If you use HTML in your TimelineJS Google sheet for links or formatting, you should take a minute to make sure nothing has changed.

This “sanitizing” process is fairly standard in web development today. We didn’t want to reinvent the wheel, and we wanted to take advantage of proven solutions. This led us to the other major change: in order to take advantage of one of these solutions, we decided to update TimelineJS to work a little better with npm and more modern JavaScript building processes.

Under the hood, this is a pretty big change, but it’s our intention that TimelineJS work exactly as it did before, and we’ve done pretty thorough side-by-side testing to see that it does. Nevertheless, with nearly 1 million timelines created (!!), there’s a chance a few of them won’t go so smoothly. As always, we’re happy to take your support requests. Please be sure to send us a URL where we can see the timeline in action—the best thing is the “share link” from the timeline creation tool.

This also sets us up to publish TimelineJS3 to the npm package registry, which has been a much requested feature. In fact, at least a few people have taken it upon themselves to publish a version themselves. Those don’t seem to be maintained, and won’t include the security fix. If installing TimelineJS via NPM is a priority for you, we strongly encourage you to use our package, available now.

For those interested in a more technical write-up, see Zander Work’s post.

About the author

Joe Germuska

Chief Nerd

Joey runs Knight Lab’s technology, professional staff and student fellows. Before joining us, Joe was on the Chicago Tribune News Apps team. He's the project lead for CensusReporter.org and a board member of City Bureau.

Latest Posts

  • A Big Change That Will Probably Affect Your Storymaps

    A big change is coming to StoryMapJS, and it will affect many, if not most existing storymaps. When making a storymap, one way to set a style and tone for your project is to set the "map type," also known as the "basemap." When we launched StoryMapJS, it included options for a few basemaps created by Stamen Design. These included the "watercolor" style, as well as the default style for new storymaps, "Toner Lite." Stamen...

    Continue Reading

  • Introducing AmyJo Brown, Knight Lab Professional Fellow

    AmyJo Brown, a veteran journalist passionate about supporting and reshaping local political journalism and who it engages, has joined the Knight Lab as a 2022-2023 professional fellow. Her focus is on building The Public Ledger, a data tool structured from local campaign finance data that is designed to track connections and make local political relationships – and their influence – more visible. “Campaign finance data has more stories to tell – if we follow the...

    Continue Reading

  • Interactive Entertainment: How UX Design Shapes Streaming Platforms

    As streaming develops into the latest age of entertainment, how are interfaces and layouts being designed to prioritize user experience and accessibility? The Covid-19 pandemic accelerated streaming services becoming the dominant form of entertainment. There are a handful of new platforms, each with thousands of hours of content, but not much change or differentiation in the user journeys. For the most part, everywhere from Netflix to illegal streaming platforms use similar video streaming UX standards, and...

    Continue Reading

  • Innovation with collaborationExperimenting with AI and investigative journalism in the Americas.

    Lee este artículo en español. How might we use AI technologies to innovate newsgathering and investigative reporting techniques? This was the question we posed to a group of seven newsrooms in Latin America and the US as part of the Americas Cohort during the 2021 JournalismAI Collab Challenges. The Collab is an initiative that brings together media organizations to experiment with AI technologies and journalism. This year,  JournalismAI, a project of Polis, the journalism think-tank at...

    Continue Reading

  • Innovación con colaboraciónCuando el periodismo de investigación experimenta con inteligencia artificial.

    Read this article in English. ¿Cómo podemos usar la inteligencia artificial para innovar las técnicas de reporteo y de periodismo de investigación? Esta es la pregunta que convocó a un grupo de siete organizaciones periodísticas en América Latina y Estados Unidos, el grupo de las Américas del 2021 JournalismAI Collab Challenges. Esta iniciativa de colaboración reúne a medios para experimentar con inteligencia artificial y periodismo. Este año, JournalismAI, un proyecto de Polis, la think-tank de periodismo...

    Continue Reading

  • AI, Automation, and Newsrooms: Finding Fitting Tools for Your Organization

    If you’d like to use technology to make your newsroom more efficient, you’ve come to the right place. Tools exist that can help you find news, manage your work in progress, and distribute your content more effectively than ever before, and we’re here to help you find the ones that are right for you. As part of the Knight Foundation’s AI for Local News program, we worked with the Associated Press to interview dozens of......

    Continue Reading

Storytelling Tools

We build easy-to-use tools that can help you tell better stories.

View More