Wikka Mod 018

Type: Feature Addition


IFrame


This is a very simple action that can be very useful to include content that otherwise might not easily import into a Wikka page.

Usage example:
{{iframe height="480" width="650" url="http://google.com"}}


Note: This feature has been removed from the default install due to security concerns. It can be activated by moving the iframe.php file in the /intranet folder to the /actions folder. Only activate this if your site is on a local intranet and not exposed to the public.



<?php

$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];

echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';

?>


How about this variation (I added frameborder="0"):
<?php

$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];

echo '<iframe frameborder="0" width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';

?>
Comments
Comment by host14-14.pool8251.interbusiness.it
2005-07-14 17:56:13
This feature Very good!
Comment by ChrisH
2005-12-26 05:30:30
Curious: What exactly makes this action a security concern? I'm guessing that it is because it could be used to embed a malicious web site inot your wiki, no? Would "hard-coding" the desired url into the action make it less of a security risk?
Comment by JavaWoman
2005-12-26 08:10:25
ChrisH:

Indeed the possibility of embedding a malicious URL (by any user allowed to edit a page) makes it a security risk: since iframe operates on the level of a URL rather than the code it returns, it cannot be "sanitized" either. Within an intranet, with a known group of (potential) wiki users, this is generally no concern, hence its "classification".

Hard-coding the desired URL would indeed make it far less of a security risk since the users can't choose a URL, only the site maintainer - but the site maintainer would have to "trust" the URL being used of course. BTW, If you'd want to have the resulting page validate as XHTML strict, you could use object instead of iframe.
Comment by ChrisH
2005-12-27 03:11:02
JavaWoman - Makes sense, thank you. The URL I want to link to is on another subdomain of my own site, so it seems that Iframe would work for me if I hardcoded it. One question though - you refer to using "object" instead of "iframe". I can't find an action named "object". Am I not looking in the right place, or is there more to the name than that?
Comment by JavaWoman
2005-12-27 08:28:53
Sorry, I was referring to the object HTML *element* to use instead of the *iframe* element. If you're editing the action to hardcode a URL, you could replace that, too (and even rename the action, for that matter).

In teh action code you could use it like this:
echo '<object width="'.$width.'" height="'.$height.'" data="'.$url.'"></object>';

More here:
http://www.w3.org/TR/html401/struct/objects.html#edef-OBJECT
Comment by ChrisH
2005-12-27 16:18:58
Oh. Okay. Thanks. That is exactly what I am looking to do - I want to create several actions that will embed HTML files in various places. The HTML files are outputs from another program. That way I can update them by simply uploading the new html file with the appropriate name, and they will be updated everywhere they are used on the site.
Comment by WazoO
2006-09-01 00:56:12
Working with 1.1.6.2 .... IFRAME works, but I really don't want to use that, so was trying to convert to the OBJECT statement. Been fighting for quite a while with no success. The page I'm trying to pull in has an 'action' extension at the end of the URL, so was thinking that perhaps the 'cleanUrl' bit might be changing/modifying the string, but even deleting that line made no difference.

Trying to hardcode the URL into the code made no difference either .. example
under the OBJECT version, changed ... data="'.$url.'" .... to read;
data="http://domainname/pagename.php?act=calendar" ...
but only see the dreaded 'red X' on the rendered page.

Again, the IFRAME construct works fine, the OBJECT construct does not.

I have to be missing something very obvious, but ....?????
Comment by BrianKoontz
2006-10-13 19:55:19
Try adding the type attribute:

<object...type="text/html"></object>

I couldn't get this to work either until I added the MIME type.
Comment by WazoO
2006-10-13 23:01:14
Thanks Brian .... now if I could remember what I was trying to do way back then <g>
Comment by WazoO
2006-10-14 00:34:26
OK, for those that made it this far .....
iframe code above 'command line' reads;

echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';

the 'object' version of that line that now works reads as;

echo '<object width="'.$width.'" height="'.$height.'" data="'.$url.'" type="text/html"></object>';

There are various ways to 'hard-code' in the (URL) data ... in this line, in the action file, ....
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki