1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
diff --git a/frontends/php/include/classes/screens/CScreenUrl.php b/frontends/php/include/classes/screens/CScreenUrl.php
index e35c5f1..1df396e 100644
--- a/frontends/php/include/classes/screens/CScreenUrl.php
+++ b/frontends/php/include/classes/screens/CScreenUrl.php
@@ -29,18 +29,10 @@ class CScreenUrl extends CScreenBase {
public function get() {
// prevent from resolving macros in configuration page
if ($this->mode != SCREEN_MODE_PREVIEW && $this->mode != SCREEN_MODE_SLIDESHOW) {
- return $this->getOutput(
- CHtmlUrlValidator::validate($this->screenitem['url'], false)
- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'],
- 'auto')
- : makeMessageBox(false, [[
- 'type' => 'error',
- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
- ]]
- )
- );
+ return $this->getOutput($this->prepareElement());
}
- elseif ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) {
+
+ if ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) {
return $this->getOutput((new CTableInfo())->setNoDataMessage(_('No host selected.')));
}
@@ -54,14 +46,28 @@ class CScreenUrl extends CScreenBase {
$this->screenitem['url'] = $url ? $url : $this->screenitem['url'];
- return $this->getOutput(
- CHtmlUrlValidator::validate($this->screenitem['url'], false)
- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'], 'auto')
- : makeMessageBox(false, [[
- 'type' => 'error',
- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
- ]]
- )
- );
+ return $this->getOutput($this->prepareElement());
+ }
+
+ /**
+ * @return CTag
+ */
+ public function prepareElement() {
+ if (CHtmlUrlValidator::validate($this->screenitem['url'], false)) {
+ $item = new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'],
+ 'auto'
+ );
+
+ if (ZBX_IFRAME_SANDBOX !== false) {
+ $item->setAttribute('sandbox', ZBX_IFRAME_SANDBOX);
+ }
+
+ return $item;
+ }
+
+ return makeMessageBox(false, [[
+ 'type' => 'error',
+ 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
+ ]]);
}
}
diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php
index a67a625..c6a437c 100644
--- a/frontends/php/include/defines.inc.php
+++ b/frontends/php/include/defines.inc.php
@@ -1284,6 +1284,14 @@ if (function_exists('bcscale')) {
bcscale(7);
}
+/**
+ * The sandbox attribute enables an extra set of restrictions for the content in the iframe. Default is set to empty
+ * string, which means all restrictions are applied. To disable, set to FALSE. To set a specific set of restrictions,
+ * write a custom string.
+ * https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html#attr-iframe-sandbox
+ */
+define('ZBX_IFRAME_SANDBOX', '');
+
// HTTP headers
/*
* Value of HTTP X-Frame-options header.
|
GitWeb