A Big TimelineJS Update That You Shouldn’t Even Notice

Today we’re releasing a new version of TimelineJS, but most of you shouldn’t even notice a difference.

We make updates to TimelineJS periodically, and we usually don’t say much about it, partly because people who publish timelines using our embed tool are automatically updated to the new version—there’s nothing they need to change. That includes this new release. However, in this case, we thought it was worthwhile posting for two related reasons.

First, this release is in response to a security vulnerability in previous versions of TimelineJS. For an attacker to take advantage of this vulnerability, they must be able to edit your Google Sheets document, or whatever data source you use for your timeline. (Please note: you should never set your timeline spreadsheets to “anyone with the link can edit.”) We believed that creators would already be taking responsibility for who could edit their timelines, and so considered it an acceptable risk. However, earlier this year, we were contacted by security researcher Zander Work, who argued that there was enough risk of either people accidentally leaving their timelines editable, or by an “internal bad actor” taking advantage of the vulnerability. (We’ll say this again: you should never, ever, set your timeline spreadsheets to “anyone with the link can edit.”)

The security issue is an exposure to “cross-site scripting” attacks, also known as XSS attacks. These attacks take advantage of systems that pass through maliciously crafted HTML to a reader’s browser. For some fields, TimelineJS allows users to use HTML markup, intended for formatting and links. Until now, we did not check that markup, because we wanted people to have maximum flexibility in creating their timelines. With the new release, HTML markup in Google Sheets cells (or any other timeline data source) is “sanitized” to remove potentially risky markup, while known “safe” markup is passed through. The most common markup is generally passed through unchanged, but there’s a small chance that some of the HTML you are using is now stripped. If you use HTML in your TimelineJS Google sheet for links or formatting, you should take a minute to make sure nothing has changed.

This “sanitizing” process is fairly standard in web development today. We didn’t want to reinvent the wheel, and we wanted to take advantage of proven solutions. This led us to the other major change: in order to take advantage of one of these solutions, we decided to update TimelineJS to work a little better with npm and more modern JavaScript building processes.

Under the hood, this is a pretty big change, but it’s our intention that TimelineJS work exactly as it did before, and we’ve done pretty thorough side-by-side testing to see that it does. Nevertheless, with nearly 1 million timelines created (!!), there’s a chance a few of them won’t go so smoothly. As always, we’re happy to take your support requests. Please be sure to send us a URL where we can see the timeline in action—the best thing is the “share link” from the timeline creation tool.

This also sets us up to publish TimelineJS3 to the npm package registry, which has been a much requested feature. In fact, at least a few people have taken it upon themselves to publish a version themselves. Those don’t seem to be maintained, and won’t include the security fix. If installing TimelineJS via NPM is a priority for you, we strongly encourage you to use our package, available now.

For those interested in a more technical write-up, see Zander Work’s post.

About the author

Joe Germuska

Chief Nerd

Joe runs Knight Lab’s technology, professional staff and student fellows. Before joining us, Joe was on the Chicago Tribune News Apps team. Also, he hosts a weekly radio show on WNUR-FM – Conference of the Birds.

Latest Posts

  • A Big TimelineJS Update That You Shouldn’t Even Notice

    Today we’re releasing a new version of TimelineJS, but most of you shouldn’t even notice a difference. We make updates to TimelineJS periodically, and we usually don’t say much about it, partly because people who publish timelines using our embed tool are automatically updated to the new version—there’s nothing they need to change. That includes this new release. However, in this case, we thought it was worthwhile posting for two related reasons. First, this release...

    Continue Reading

  • AR Face Filters: How Do They Work and How Are They Changing Us?

    This video explains the mechanisms behind how selfie filters change our digital images and then how this might psychologically affect us. To make this video, I researched “Snapchat Dysmorphia” and also looked for the technical understanding of selfie filters. Before creating this video, I made a selfie filter for the Knight Lab using Spark AR to get a sense of how face deformation would work in Instagram selfie filters. The animation workflow for me looked...

    Continue Reading

  • 9 Important VR Experiences for Journalists to See

    In an era where social media outpaces print newspapers in the U.S. by a whopping 4% (Pew Research Center, 2018), there is much to be said about the role of interactive media technology in minimizing this gap between technology and storytelling. How can publications, and the journalists within them, use interactive media technology to re-engage with this lost audience? And why might this shift towards digital storytelling, such as VR, be more valuable for journalism than...

    Continue Reading

  • 7 Reflections on SRCCON:Productthe first conference for “product thinkers” in media

    Marco Túlio Pires On Feb. 8 in Philadelphia, I was lucky to be one of about 150 participants at SRCCON:Product, the first conference for “product thinkers” in media. A few reflections on what I saw and learned: 1. A quarter of a century into the digital age, we are finally figuring out how to build media products In 1995, I was named the first online director for The Miami Herald, with responsibility for launching the...

    Continue Reading

  • Building a Community for VR and AR Storytelling

    In 2016 we founded the Device Lab to provide a hub for the exploration of AR/VR storytelling on campus. In addition to providing access to these technologies for Medill and the wider Northwestern community, we’ve also pursued a wide variety of research and experimental content development projects. We’ve built WebVR timelines of feminist history and looked into the inner workings of ambisonic audio. We’ve built virtual coral reefs and prototyped an AR experience setting interviews...

    Continue Reading

  • A Brief Introduction to NewsgamesCan video games be used to tell the news?

    When the Financial Times released The Uber Game in 2017, the game immediately gained widespread popularity with more than 360,000 visits, rising up the ranks as the paper’s most popular interactive piece of the year. David Blood, the game’s lead developer, said that the average time spent on the page was about 20 minutes, which was substantially longer than what most Financial Times interactives tend to receive, according to Blood. The Uber Game was so successful that the Financial...

    Continue Reading

Storytelling Tools

We build easy-to-use tools that can help you tell better stories.

View More