That would not be secure at all since you are able to request the xslt from a client.
Try requesting one of your xslt's from within your webbrowser: http://yourdomain.com/xslt/yourxslt.xslt

I think I would store the username and password in the database and pass it on through a macro.

But the username and password would be parameters passed into the macro and not hardcoded into the XSLT.
<xsl:value-of select="concat($userTwitterID,':',$userTwitterPass,'@','http://twitter.com/statuses/friends_timeline.xml?count=', $noStatus)" />

Warren

Have you tried runing the xslt throug a browser runing a tool like Fiddler for IE - don't know if you are familiar with the tool, but it can show you all requests being made when you enter a site.

Runing a page with your xslt function will show you if the username and password is sent in clear text ... I'm not really sure that this type of request stays serverside, maybe someone else can answer that. But with the above tool you should be able to get closer to an answer.

http://www.fiddler2.com/fiddler2/

- Morten

Thanks Morten I will give that a try and report back later.

Warren :)

@Warren I thought you meant hardcoded :) I would not recommend that!

Furthermore I'm with Morten, not quite sure what you will see with fiddler. Would be worth trying...

A few months ago i found a pretty nice c# wrapper for the Twitter API, in that case the account credentials where in a config file, maybe an option to use that library?

As long as no-one can request the username and password from the website (i.e. as Roel says for request XSLT) it will be secure.

(Cripes, I hadn't thought it was possible to make requests to the .xslt in the browser - will Umbraco still work if I blocked access to this?)

Someone could sniff the username and password if they got in between your server and Twitter if you weren't using https or used Basic Authentication.

Sjors, which wrapper was that? Twitterizer?

Question is if the parameters sent to a macro are shown in the umbDebugShowTrace=true output. You may want to test that as well...

Simon i thought i used Yedda.

OK guys, looked at this and I am not sure I can do the remote XML call with umbraco.library:GetXmlDocumentByUrl

As I am no coding guru, could someone help me to see if the XSLT extension would be able to do the type of URL call I am after please.

        /// <summary>
        /// Fetches a xml file from the specified url.
        /// the Url can be a local url or even from a remote server.
        /// </summary>
        /// <param name="Url">The URL.</param>
        /// <returns>The xml file as a XpathNodeIterator</returns>
        public static XPathNodeIterator GetXmlDocumentByUrl(string Url)
        {
            XmlDocument xmlDoc = new XmlDocument();
            WebRequest request = WebRequest.Create(Url);
            try
            {
                WebResponse response = request.GetResponse();
                Stream responseStream = response.GetResponseStream();
                XmlTextReader reader = new XmlTextReader(responseStream);

                xmlDoc.Load(reader);

                response.Close();
                responseStream.Close();
            }
            catch (Exception err)
            {
                xmlDoc.LoadXml(string.Format("<error url=\"{0}\">{1}</error>",
                                             HttpContext.Current.Server.HtmlEncode(Url), err));
            }
            XPathNavigator xp = xmlDoc.CreateNavigator();
            return xp.Select("/");
        }

As a reminder this is the URL I am passing into GetXmlDocumentByUrl but this is not hardcoded BTW ;)
http://myUsername:[email protected]/statuses/friends_timeline.xml?count=5

Warren :)

Hi Warren. I get a 401 unauthorized error when trying to use that code. Will try debugging a bit, but that is the current status :-)

Just tested this in a small windows app, so it's not tested in umbraco, but try making your own extension like this:

        public static XPathNodeIterator GetXmlDocumentByUrl(string Url, string user, string password)
        {
            XmlDocument xmlDoc = new XmlDocument();
            WebRequest request = WebRequest.Create(Url);
            request.Credentials = new NetworkCredential(user, password);
            try
            {
                WebResponse response = request.GetResponse();
                Stream responseStream = response.GetResponseStream();
                XmlTextReader reader = new XmlTextReader(responseStream);

                xmlDoc.Load(reader);

                response.Close();
                responseStream.Close();
            }
            catch (Exception err)
            {
                xmlDoc.LoadXml(string.Format("<error url=\"{0}\">{1}</error>",
                                             HttpContext.Current.Server.HtmlEncode(Url), err));
            }
            XPathNavigator xp = xmlDoc.CreateNavigator();
            return xp.Select("/");
        }

I got it working. Just added on line of code, and a couple of parameters to the method.

Morten looks like this will do the job, have yet to test it yet. Will try out tomorrow when I am back into full swing and out of holiday mode.

Warren :)

Morten I am getting this error
The name 'HttpContext' does not exist in the current context for this line:

xmlDoc.LoadXml(string.Format("<error url=\"{0}\">{1}</error>",HttpContext.Current.Server.HtmlEncode(Url), err));

The namepsaces/references I have included are the following:

using System.Xml.XPath;
using System.Xml;
using System.Net;
using System.IO;

Have I missed any or am I doing anything wrong?

Thanks,
Warren

For reference it was missing this refrerence:

using System.Web;

Hey Guys,
I have updated the twitter for umbraco package/project to use this remote XML call.

@Morten Christensen as I have no idea really how this fiddler works - would you mind testing this package out and see if the call to twitter is secure or not.

http://twitter4umbraco.codeplex.com

http://our.umbraco.org/projects/twitter-for-umbraco

The more testers the better.

Thanks,
Warren

Okay, I'll try and give it a go and let you know later today.

- Morten

Please re-download as was typo in package action for registering XSLT extension.

@Warren, I installed your twitter package and checked it with Fiddler - nothing was sent in clear text (requests, headers etc.) or anything else that could be considered a security concern, so it looks like you are good to go ;-)

- Morten

Excellent that is great news. I presumed the package actually worked yeh?

Warren :)

Dammn the username/pass can be seen with ?umbDebugShowTrace=true
Anyway to disable this? - so I can put a warning with the package or do you think I should remove that piece of functionality instead?

Warren :)

Hi Warren. You can disable it by setting this key in the web.config

    <add key="umbracoDebugMode" value="false" />

That disaples the querystring debug info.

Wouldn't it be possible to write a piece of C# code that takes a peek in the web.config and store the twitter username/password there?

*.config files are not served to the public so that would sort of eliminate the potential risk of having your credentials exposed, or?

So do you think the best idea is to have a config file for this then?
What is the convention for package authors on where to store .config files then?

Warren :)

I'd store the config-file in the config-folder. As simon said: config-files aren't served to public (unless someone messed with the IIS-configuration...).

OK something to do at lunch time then to fix this problem.

is working on a reply...