In the future, embedded Picasa slideshows would be terrific!
| Project: | Picasa |
| Version: | 5.x-3.1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | cyberswat |
| Status: | active |
Jump to:
(NOTE: Per the maintainer's comments at http://drupal.org/project/picasa, development for 5.x has stopped and only minor bug fixes will be made from here on out to 5.x. However, the 6.x version wasn't available on the drop-down box when submitting this feature request so I was forced to choose the 5.x version. If I'm supposed to post this feature request somewhere else, please let me know.)
In the future, embedded Picasa slideshows would be terrific! I really like being able to have my Picasa albums (and those of my future subscribers) on my web site per the nifty and very functional Picasa contributed module. However, a drawback for me is that the link to the Picasa album takes my web site visitors away to Picasa instead of keeping the visitors on my site. A better alternative for me would be an embedded slideshow.
For a limited time, I've thrown up two examples to play with on my test web site at http://wellnessgame.com. I have (1) an example of the Picasa contributed module at http://wellnessgame.com/node/7 and (2) an example of an embedded Picasa slideshow at http://wellnessgame.com/node/6. (To create an embedded Picasa slideshow on my web site, I went to my Picasa album, clicked on "Embed Slideshow", and copied and pasted the code from the Picasa popup to a new page on my Drupal web site.)
If I click on an album at example (1) which utilizes the Picasa contributed module, it takes me straight to my Picasa album. However, example (2) is a slideshow of my Picasa album that nicely runs on my web site, and my web site is where I hope to keep my visitors instead of them leaving and going to Picasa as in example (1).
One interesting note for the Picasa contributed module maintainer or anyone looking into embedded Picasa slideshows is that after I've copied and pasted the "Embed Slideshow" code from Picasa onto my Drupal-powered web site, the slideshow does not show up on my Drupal site if I choose "Filtered HTML". The embedded Picasa slideshow seems to only show up when I choose "Full HTML". From past readings, I've learned that allowing "Full HTML" for the general public is a bad idea because some HTML code can cause huge issues with one's web site, particularly if the post is malicious. So I don't know if embedded Picasa slideshows are even possible without allowing "Full HTML", something I'm not about to allow.
Thanks!
#1
+1
I never thought that the direction of this project led to this. I thought the original intent of the chief author was to make each picture a node (and I was hoping for at least each album a node). I am not here to debate the logic of this sudden outcome/direction but it makes the module somewhat less useful for me.
As for Walt's hesitations on using the Full HTML input format, let me just say that there's nothing wrong with this - as long as it's only you alone (or a few trusted friends you have) who are going to post node content on your website. I can confidently say that there won't be any security issues as long as you directly copied the HTML from Google's Picasa slideshow album generator. You may not find any harmful HTML tags in there.
But if you're looking for a quick fix and you really want to avoid using Full HTML format, I suggest that you go to your Input Formats settings (/admin/settings/filters), configure Filtered HTML, and add "<embed>" in the list of allowed HTML tags. That way, you'll still be able to use Picasaweb slideshows in your website using Google's generator while just using the Filtered HTML input format. Just be aware though that you will also be allowing other people to use the "<embed>" tag whenever they're posting Filtered HTML content.
Side tip for cyberswat: My HTTPS website doesn't go well with GAuth. Just an FYI. But of course, this is an issue with Google and not exactly with the Picasa module.
#2
@cyberswat: Please feel free to change the version from 5.x to 6.x whenever that version first becomes available in the "Version" drop-down box.
@loloyd: Wow! Thanks for the helpful comments! If it was just me (and a few trusted colleagues), I wouldn't have a problem allowing "Full HTML" on my web site. But the web site will be for subscribers and the general public to post things, including in this case pictures. Therefore, "Full HTML" is not an option due to the possibility of abuse.
I tried your suggestion for a quick fix of adding embed in the list of allowed HTML tags under "Filtered HTML" and it worked like a charm! For anyone reading this, I added embed in the list of allowed HTML tags under "Filtered HTML", I then logged out as user1 and logged back in under a different username for which I only have "Filtered HTML" permission (because I wanted to test adding Picasa code under a role with only "Filtered HTML" permission), added the embedded Picasa code for a Picasa slideshow, and my slideshow appeared just like magic! I'll just need to explain to my subscribers that they have the capability to now add embedded slideshows. I'll probably add some help notes somewhere in the FAQs regarding this. Question: Is allowing embed under "Filtered HTML" OK or does it introduce any potential for abuse? I just don't know anything about what embed can do, other than it allows Picasa embedded slideshows. Can someone embed a virus or something malicious?
#3
Hi, Walt. Don't just thank me. Thank Drupal too for making our cyber lives easier. :-D
On a more serious note, you could find some security issues with allowing "<embed>" for virtually anyone - especially those with malicious intent. Hopefully, your website users wouldn't be those such people. If you can find a way to allow only picasa.google.com as the only valid SRC domain from your embed tags, then you can greatly mitigate this issue. I believe social networking sites does this - example, Friendster limits SRC attributes only to a few external sites that they find sufficiently noteworthy.
The short answer is yes, as much as I know.
Admittedly, I only found a few hacks when I Googled for "embed tag security vulnerability". However, if I were a savvy enough security exploiter, I could, in theory, make up a malicious web script/applet, post it in a server of my choice, then embed that script/applet in your website and thereby effectively open up your website to a few cross-domain security vulnerabilities. Off course, this may all be far-fetched as there's way too much work involved. ;-) This just provides a cautionary FYI though.
Barring that, good luck with your website!
#4
#5
Echo.
The difference between earlier incarnations of this module and its current form is likewise strange to me. Before, the module DID, in fact, simply show a page of albums, and a page of thumbnails and enlarged images all right within the site. I suppose the addition of the "Guser" adds power, in that you can now have albums from many different users. But previously this module was excellent for integrating an existing Picasa workflow being used by my clients into their new websites, and allowing them to continue using the local uploader.
Here's hoping that the Drupal 6 version fixes this!