edit: Thanks for the downvotes, lesson learned! Never talk about vulnerabilities of a code which is #1 on HN and people will blindly put in production.
edit 2: So here is my new comment: "Awesome library! The fact that users can easily enhance its behaviour by using <script> tags in labels is a great feature!"
You're going to be happier and your comments more persuasive if you just ignore downvotes. Like, completely. Your comment was inevitably going to be bolted to the top of the thread regardless of the randos who downvoted you.
I upvoted you because good catch, but winced when I did it because of the downvote whining. :)
> You're going to be happier and your comments more persuasive if you just ignore downvotes.
Generally yes. That said some people seem to either belong on another forum or have somehow managed to collect enough karma to downvote before learning how to behave on HN.
Putting HTML elements in the label property itself certainly looks like it's unintended design-wise, and IMO escaping input should definitely be the responsibility of this library (or, as gildas suggested, it should at the very least be documented).
Well, it's a client side library. By that reasoning, jQuery can be said to be vulnerable to XSS if you call .html() with untrusted user input. It seems reasonable to me that the label of each bubble can contain HTML code, it's up to the user to ensure any user input is escaped.
Agreed. In fact, to build on 'Erwin's example, jquery makes note of the potential for XSS when calling .html(), .append(), .after(), etc.[1]
> Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.
Yeah, I'm having a hard time seeing this as having an XSS vulnerability in and of itself. If you're not escaping user input onto the page, it doesn't matter if some library is taking that data and wrapping it in a span. You're done far before you add a third-party javascript library.
When I call that library, I shouldn't have to worry about the fact that it uses HTML. It is a leaky abstraction since a field that is, intuitively, supposed to be text for the label, is actually just treated as HTML for plain insertion into the page.
It might be a good idea to have separate label and labelHTML properties so users of the library don't have to think about this in the common case of text labels, but they can still use HTML labels if they want.
Quite pretty but I can't figure out why anyone would invent their own non-ISO date format and then have to write a parser for it. Is it really so hard to start with the year?
After we were acquired, I designed an extensive timeline of our company history, people and apps released. It sometimes looks bad on mobile, but in general works pretty well, loading data from JSON.
Please, don't go that route. Rather, make this reusable for others right now (by making it Free Software), and accept help from outside for the cleanup.
My first solution is a Gantt style graph where I input tasks I need to do and estimate how long they take. Then I click start on a task, and track the time I spend on it. My job needs me to track in high detail what I work on, so I made this system after getting bored of pen and paper.
The second solution I made was a real Gantt diagram, I used the same knowledge I had from the pervious solution, angularjs and svg, but this time I implemented dependencies between the activities. For the first solution I implemented a very simple scheduler based on the fact that I can't possibly be working on two things at the same time (unless I work during a meeting), but for this second solution I didn't make a scheduler so instead I just specify a start and duration for a task.
It's funny, but I wrote something similar back around 1999, built for the dhtml v4 browser days... I am so glad to be doing web development today vs the bad old days.. abstracting box drawing between Ie4 and NN4 browsers for stack diagrams and gantt charts was no fun at all... neither was masking while drawing because of NN4.x's bad flicker, or dealing with the various overflows, or bugginess all around... IE's broken 5.0 release (included with Office 2000), fixed in 5.0.1, and various other quirky behavior at the time.
Since you seem to care about good Javascript practices given you're linting your code, I'm going to point out that all your modules are exposed in the global scope, which isn't the best practice. I'll suggest using something like browserify (as opposed to require.js due to the smaller overhead) to "require" smaller modules within closures to expose one final Timesheet constructor.
You should put the .css and .js on the frontpage (some people don't know how to use github). Also some basics explanation on how to use it would be nice as well. I'm using right now and I just see the background no event get displayed.
Also Haml is cool but it makes your project hard to understand if you do not use haml (like me).
In case anyone else is confused, like I was (and I imagine spellcheck is to blame): I'm pretty sure the parent means "Haml", not "Halm".
According to haml.info:
"Haml is a markup language that’s used to cleanly and simply describe the HTML of any web document without the use of inline code. Haml functions as a replacement for inline page templating systems such as PHP, ASP, and ERB, the templating language used in most Ruby on Rails applications. However, Haml avoids the need for explicitly coding HTML into the template, because it itself is a description of the HTML, with some code to generate dynamic content."
Pretty cool - there's a similar library at http://timeline.knightlab.com/ that approaches the problem in a slightly different way. Rather than having an axis per event they try to present multiple events on the same axis.
I've been doing a lazy search (i.e., passively watching) for a library like this with per-second resolution vs the per-month resolution in both timesheet.js and Chee Aun's Life.
Thanks for the reply. I put cubism in the bucket of time series data, where the x-axis is time and the y-axis a single continuous scalar with definable magnitude. What makes these timeline views unique is multiple y-axis values, each with no magnitude, just metadata. (Or perhaps the metadata is more important than the magnitude)
Cubism is hawt for time series data, but there are lots of good options. It's a popular ask.
Just curious. What are some examples of the most interesting uses you've seen from users? Are they mostly using it for tracking work hours during the week etc.?
[1] https://github.com/sbstjn/timesheet.js/blob/master/source/ja...
edit: Thanks for the downvotes, lesson learned! Never talk about vulnerabilities of a code which is #1 on HN and people will blindly put in production.
edit 2: So here is my new comment: "Awesome library! The fact that users can easily enhance its behaviour by using <script> tags in labels is a great feature!"