Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

embed component for iframe

Avatar

Level 4

hello,

In a new project, we need to use an iframe to embed a web page from another site into AMS's AEM.


We plan to solve this using the ootb core embed component.

The web page we are trying to embed using an embed(iframe) is managed by the same group and is a web page created in asp/aspx and located on the iis web server.

We have a proxy embed component and embed.html under the proxy embed component.
And we modified it <sly data-sly-test="${embed.html}">${embed.html @CONTEXT = 'unsafe'}</sly>.

We are going to use URL and HTML.

I think we need to modify /libs/cq/xssprotection/config.xml, but my questions are:
1. Is it possible to overlay with /apps/cq/xssprotection/config.xml?
2. If overlay is possible, should we include this as our source code and do source control with other code?
3. What parts should be modified/added in this file in order to embed web pages using URL and HTML ways?


thank you

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @keehwan1 
I have an example of iframe as Embeddable :

https://github.com/arunpatidar02/aemaacs-aemlab/pull/28/files#diff-0418435abaa6b1b4269de04f450cb2156... 

 

You can use this code.



Arun Patidar

View solution in original post

4 Replies

Avatar

Correct answer by
Community Advisor

Hi @keehwan1 
I have an example of iframe as Embeddable :

https://github.com/arunpatidar02/aemaacs-aemlab/pull/28/files#diff-0418435abaa6b1b4269de04f450cb2156... 

 

You can use this code.



Arun Patidar

Avatar

Level 4

Thank you, Arun Patidar

We are going to use core components as much as possible.

For this project related to core embed component for iframe, we want to use 2 parts from embed dialog- URL and HTML.

 

Would you recommend how to archive this?

 

Regards,

 

Avatar

Community Advisor

Hi @keehwan1 
URL option is no going to help here.

 

for HTML option, you may need to change settings to allow certain tags

 

Any unsafe tags such as scripts will be filtered from the entered HTML and will not be rendered on the resulting page.

The HTML markup that the author can enter is filtered for security purposes to avoid cross-site scripting attacks that could for example allow authors to gain administrative rights.

In general, all script and style elements as well as all on* and style attributes will be removed from the output.

However the rules are more complicated because the Embed Component follows AEM’s global HTML AntiSamy sanitation framework filtering rule set, which can be found at /libs/cq/xssprotection/config.xml. This can be overlaid for project-specific configuration by a developer if required.

Additional security information can be found in the AEM developer documentation for on-premise installations as well as AEM as a Cloud Service installations.

NOTE
Although the AntiSamy sanitation framework rules can be configured by overlaying /libs/cq/xssprotection/config.xml, these changes affect all HTL and JSP behavior and not just the Embed Core Component.

 



Arun Patidar

Avatar

Level 4

Thank you so much.
Your codes cover most of our requirement.