Adobe Experience Manager Sites & More

keehwan1 · 3/25/24

hello,

In a new project, we need to use an iframe to embed a web page from another site into AMS's AEM.

We plan to solve this using the ootb core embed component.

The web page we are trying to embed using an embed(iframe) is managed by the same group and is a web page created in asp/aspx and located on the iis web server.

We have a proxy embed component and embed.html under the proxy embed component.
And we modified it <sly data-sly-test="${embed.html}">${embed.html @CONTEXT = 'unsafe'}</sly>.

We are going to use URL and HTML.

I think we need to modify /libs/cq/xssprotection/config.xml, but my questions are:
1. Is it possible to overlay with /apps/cq/xssprotection/config.xml?
2. If overlay is possible, should we include this as our source code and do source control with other code?
3. What parts should be modified/added in this file in order to embed web pages using URL and HTML ways?

thank you

arunpatidar · 3/25/24

Hi @keehwan1
I have an example of iframe as Embeddable :

https://github.com/arunpatidar02/aemaacs-aemlab/pull/28/files#diff-0418435abaa6b1b4269de04f450cb2156...

You can use this code.

Arun Patidar

View solution in original post

arunpatidar · 3/25/24

Hi @keehwan1
I have an example of iframe as Embeddable :

https://github.com/arunpatidar02/aemaacs-aemlab/pull/28/files#diff-0418435abaa6b1b4269de04f450cb2156...

You can use this code.

Arun Patidar

keehwan1 · 3/25/24

Thank you, Arun Patidar

We are going to use core components as much as possible.

For this project related to core embed component for iframe, we want to use 2 parts from embed dialog- URL and HTML.

Would you recommend how to archive this?

Regards,

arunpatidar · 3/26/24

Hi @keehwan1
URL option is no going to help here.

for HTML option, you may need to change settings to allow certain tags

Any unsafe tags such as scripts will be filtered from the entered HTML and will not be rendered on the resulting page.

The HTML markup that the author can enter is filtered for security purposes to avoid cross-site scripting attacks that could for example allow authors to gain administrative rights.

In general, all script and style elements as well as all on* and style attributes will be removed from the output.

However the rules are more complicated because the Embed Component follows AEM’s global HTML AntiSamy sanitation framework filtering rule set, which can be found at /libs/cq/xssprotection/config.xml. This can be overlaid for project-specific configuration by a developer if required.

Additional security information can be found in the AEM developer documentation for on-premise installations as well as AEM as a Cloud Service installations.

NOTE

Although the AntiSamy sanitation framework rules can be configured by overlaying /libs/cq/xssprotection/config.xml, these changes affect all HTL and JSP behavior and not just the Embed Core Component.

Arun Patidar

keehwan1 · 3/27/24

Thank you so much.
Your codes cover most of our requirement.

Adobe Experience Manager Sites & More

embed component for iframe

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe