I want to be able to show federated wiki pages on a Grav page.
The conventional way to do this would seem to be a simple iframe tag, e.g.
However, trying this inside Grav gives a message:
NOTICE: Grav found potential XSS issues in content: 'dangerous_tags'
As a test, I created a simple page.
Does anyone have any creative solutions around this issue?
Is it possible to specify a single page on Grav as http and NOT https? I had installed https://systemschanges.com as https, although I’m not doing anything particularly interactive on the site.
Hi @daviding , this warning message is due to the (newish) additional security features of recent versions of Grav.
To turn this message off, you need to remove
iframe from the
Dangerous HTML tags list found in your Admin Panel Configuration->Security panel area.
Re: HTTPS etc, if I recall correctly if your site is using HTTPS then your iframe embeds must also do this, but I am not 100% sure🙂
Please let me know if the above works for you.
Thanks @paulhibbitts .
Removing iframe from the Dangerous HTML tags list eliminates the Warning message.
However, iframe … /iframe doesn’t then seem to get processed as markdown. What shows up on the page is the raw HTML.
Changing the Advanced … Overrides … Process … Markdown (unchecked) shows an iframe outline, but there’s no content inside … which must be mixing the https and the http.
That’s the same behaviour as my test page … so Grav may be operating to spec.
Not sure why you are seeing raw HTML @daviding, I often embed iframes etc. What skeleton/theme are you using?
If you like I could test your Grav page with this, if you join the Grav Discord (https://getgrav.org/discord) you could direct message me a ZIP archive of your Pages folder (or even better your User folder).
I’m using Bootstrap Open Matter 4, @paulhibbitts .
I think the problem is that systemschanges.com/online is running https , and the iframe is http.
To test, just create a page, and insert:
Unfortunately, that page doesn’t work under https, only under http . Just testing with a different page (I used http://coevolving.com/blogs/index.php/archive/classes-of-executive-functions-homeostatic-mediative-proactive/ ), the iframe works fine.
One solution could be to ask the federated wiki community if it’s possible to have both http and https pages. (I note from the test above that my blog is Wordpress, and it works both in http and https).
Or does Grav also work with http as a default, and https additionally without modification?
@daviding HTTPS can be determined by Grav and/or htaccess I think. In the Grav config settings there is a setting to use SSL I think.
It turns out that federated wiki only works on http, not https. In order to make the iframe work, I’ve now changed the htaccess to force Grav on the site to http.
@paulhibbitts Thanks for the help.