Wikka Mod 018
Type: Feature AdditionIFrame
This is a very simple action that can be very useful to include content that otherwise might not easily import into a Wikka page.
Usage example:
{{iframe height="480" width="650" url="http://google.com"}}
Note: This feature has been removed from the default install due to security concerns. It can be activated by moving the iframe.php file in the /intranet folder to the /actions folder. Only activate this if your site is on a local intranet and not exposed to the public.
<?php
$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
?>
$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
?>
How about this variation (I added frameborder="0"):
<?php
$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];
echo '<iframe frameborder="0" width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
?>
$width = $vars['width'];
$height = $vars['height'];
$url = $vars['url'];
echo '<iframe frameborder="0" width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
?>
Indeed the possibility of embedding a malicious URL (by any user allowed to edit a page) makes it a security risk: since iframe operates on the level of a URL rather than the code it returns, it cannot be "sanitized" either. Within an intranet, with a known group of (potential) wiki users, this is generally no concern, hence its "classification".
Hard-coding the desired URL would indeed make it far less of a security risk since the users can't choose a URL, only the site maintainer - but the site maintainer would have to "trust" the URL being used of course. BTW, If you'd want to have the resulting page validate as XHTML strict, you could use object instead of iframe.
In teh action code you could use it like this:
echo '<object width="'.$width.'" height="'.$height.'" data="'.$url.'"></object>';
More here:
http://www.w3.org/TR/html401/struct/objects.html#edef-OBJECT
Trying to hardcode the URL into the code made no difference either .. example
under the OBJECT version, changed ... data="'.$url.'" .... to read;
data="http://domainname/pagename.php?act=calendar" ...
but only see the dreaded 'red X' on the rendered page.
Again, the IFRAME construct works fine, the OBJECT construct does not.
I have to be missing something very obvious, but ....?????
<object...type="text/html"></object>
I couldn't get this to work either until I added the MIME type.
iframe code above 'command line' reads;
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
the 'object' version of that line that now works reads as;
echo '<object width="'.$width.'" height="'.$height.'" data="'.$url.'" type="text/html"></object>';
There are various ways to 'hard-code' in the (URL) data ... in this line, in the action file, ....