Passing parameters to an iFrame

Question

Ok more than a little pleased with myself, since I am not a coder it was pretty cool when I saw this work.

The problem I had was that I had a form (using Eloqua but could be any form) posted in an iFrame on the site. The frame needed to autofill values (such as email address) that were passed in the query string via an email. The iframe was not passing the parameters and I couldn't use javascript in the article so I thought I was screwed.

Then I realized that if I added the javascript to the header of the skin wrapper it would work for any iframes that needed to be passed parameters via the query string, but if there were no paramters, it would just do nothing. So I added this code (from a guy on the Eloqua forum) to my header wrapper:

</script>

Then in the article I added the parameter id="trackFrame"

so that the iFrame looked like this:

Eh voila when I click the link in the email my email address prepopulates on the form.

paolot · Answer

Hi&nbsp;jonathancrow&nbsp;
&nbsp;
I would be careful with this approach - I think you may want to do a bit more validation on the value of the "params" variable to prevent possible XSS attacks to your pages.&nbsp;
&nbsp;
If you know what kind of values your are expecting for the pre-filling then it should be possible to validate the parameters and discard them if they look suspicious.
&nbsp;
Hope that helps!

nathan · Answer

It's a clever solution. As Paolo said, there is a risk of XSS due to the lack of filtering on the URL. OWASP are a pretty good resource if you want to know more about this kind of thing:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

A couple of suggestions:

* You could wrap the JavaScript in some FreeMarker so that it only appears on the pages you want.

* If the user is logged in, you can retrieve the email address and other user info from FreeMarker, avoiding the need to extract it from the URL.

* It's probably OTT for what you need, but you could look at encrypting the user's email address in the URL to avoid potential abuse.

jonathancrow · Answer

Thanks guys. I will definitely look into this XSS issue more before going live.

One more question I have though, I found that it worked fine when I was already logged into the community, but if I was redirected to the login page first it didn't work. Any thoughts on what I would have to do to get this working?

I have SSO turned on. Do I need to do anything to the field "URL to login page"? It looks like the query string is getting removed when I get redirected to the login page.

Thanks,

Jonathan

nathan · Answer

With SSO, Lithium redirects the user to an external URL (configured in Lithium admin). Lithium includes the URL of the original page (in the parameter return_url) so that the extenal site can redirect the user after they have logged in. However, the implementation of this is down to the external site.

It's hard to know for certain without seeing the site, but I suspect that at some point during the redirection, the extra parameters are getting stripped out of the URL (probably when the external site redirects the user back to the community).

If the user needs to be logged in to access the page with the iframe, it might be worth exploring the option of retrieving the email address from FreeMarker rather than the URL.

Forum Discussion

Passing parameters to an iFrame

4 Replies

Related Content

Passing multiple parameters to the endpoint from Component

Passing parameter from custom component to an endpoint

How to pass user defined parameters to text key?

Can I cache a component based on parameter ?

Pass parameter to custom content component in community

Recent Discussions

liqlAdmin in khoros aurora graphql API

Join node/group 301 API error

How do I get the article ID in Freemarker in a TkbArticle?

How to retrieve "Internal reason for ban" field

Tips on keeping stage and prod in alignment?