Forums | Mahara Community
Support
/
Twitter timeline workaround
28 January 2014, 17:30
Hi - I have read about troubles with Twitter timelines under their new system. Here is a workaround. It does have a small problem as you will see.
First, I created an HTML page using notepad and then pasted the Twitter embed code from the settings (technically, it is not <embed> code). Then I surrounded the code with opening and closing html and body tags:
<html><body> <twitter code> </body></html>
Save the notepad file as "All types" and then add an html file extension.
Next, I uploaded the page to our server (this is the 'small problem'). I added our server (Mahara installation) URL to the allowed iframe sources. Then, in the embed external content block, I typed the followng code:
<iframe src="http://oursmaharainstallation/twitterfeed/pleslie_twitter.html" height="500" frameborder="0" scrolling="no">
It works quite well: http://eportfolio.cisweb.hct.ac.ae//user/view.php?id=3
Now, I need to figure out where our users can save their file. I could just collect them everyday and add them via FTP myself. We only have about 150 users. I might get users to load their files to a google drive folder and then just check daily. They can always edit their embed code on their own. They only need to send the twitter feed html once.
This does not seem to work if you upload your html file to the Mahara file manager.
Any comments?
29 January 2014, 14:19
Hello Paul,
Quite the work around. :-) My only concerned comment would be to know how much of the URL you have in the allowed iframe sources. It would be great if it's not only "ourmaharainstallation" but "ourmaharainstallation/twitterfeed" as that reduces the possibilities of what can be embedded. As iframes are quite insecure, the URL should be as long as possible to avoid potential security issues, e.g. if someone puts an exe file into "ourmaharainstallation/virus.exe". It does not prevent users from putting that into the twitterfeed directory.
Uploading them to the Mahara file manager would not work because we are stripping out all Javascript or other code that is potentially malicious.
The Twitter widgets do not rely on iframes and thus can't be embedded easily. To make embedding mroe secure, a filter would need to be created to allow the Javascript that Twitter relies on.
Cheers
Kristina
29 January 2014, 15:35
Thanks for your reply. I see you point about the allowed sources. I will look into that and add the full path.
I was hoping to use Google drive to hold the files and then users could just save their twitter feed file themselves. However the google doc file did not work. I will re-examine that process. I may have missed something.
I think I can just add the user files myself via filezilla as it really only takes a few seconds. I just have a shared drive folder and when students / faculty put their files in, I can quickly drag them to the server folder.
Do you have any ideas on a more automated process?
Paul
30 January 2014, 9:27
Hello Paul,
The manual dragging and dropping of the files allows you to make sure that there are only HTML files instead of potentially dangerous ones (though the HTML files could also contain malicious code). There is probably a way to automate that with cron and rsync and only take files with the extension HTML, but I'm afraid I wouldn't know what and how.
Good luck
Kristina