Posted by iantresman on October 28, 2009 at 5:25pm
Jump to:
| Project: | insertFrame |
| Version: | 6.x-2.0 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
I have a page containing a list of external URLs. I want to be able to click on any link, and for the resulting web site to appear in an iFrame in my Drupal website. I don't want to create a separate Drupal page containing a separate iFrame for each external link.
Is there a way to pass the URL from the link to a Drupal "template page" on which the iFrame will be created? Of course it must prevent iFrame injections from an external site.
I guess one workaround is to place my list of external URLs into an iFrame. Is there another way?
Comments
#1
You can pass iframe's url in the generic iframe page with ?url= ... param (or &url=...)
Create the following function in your template.php
<?phpfunction insertFrame_render_url($url, $params) {
if (isset($_GET["url")) {
return url_decode($_GET["url"]);
}
return $url;
}
?>
Your links can be now http://www.url.com/node/?url=urlofiframe
If your list is a predefined list, you can pass keywords to url and set the url of this keyword in the function above. This could prevent external injection.
Don't forget to clear page requisites or clear cache.
#2
Many thanks for that, I'll give it a try.
I think that as it stands, and without the keywords, then iFrame injection is possible. Is it possible to modify the script, and do a referrer check, to make sure that the original link is on my own Drupal's domain, and to exclude the possibility of someone just entering the link in their Browser?
I think that could prevent iFrame injection? It's not possible to spoof the referrer, is it?
#3
I've made a mistake.Function must be called yourtemplate_insertFrame_render_url where yourtemplate is the name of your template.
Another way is to code this in the description of the generic iframe's node with the php code input format selected.
<?php
if (isset($_GET["url")) {
print _insertFrame_getHTML($_GET["url"]);
}
?>
I'm not sure referrer is very secured !
#4
Thanks again. And after having a look around the Web, you're right about referrer not being too secure.
I'm still concerned about iframe injection. Can't someone just write their own script, and point a template on my web site to it? Can't they then get access to my server?
#5
Maybe can you crypt your url with your own algorithm ?
#6
I too have the same issue with a site that I am building. My problem is a little more complicated in that I have the insertFrame within a block defined under a Tabbed Block. I am trying to generate a URL within a second block that will activate the proper page in the insertFrame. How do I reference the block / insertFrame combination securely? Thanks for the help - this sequence is close to what I am looking for.
#7
I guess that with the option between a keyword lookup, and encryption, it's probably as easy to just have a new content type which just includes the iFrame. It's safe, and the overhead is small, and I guess I shouldn't be so lazy in having to create each iFrame page separately.
#8
Why do not use javascript ?
#9