forgejo/modules/markup
Bojidar Marinov 81d90e1b0d fix: Fix invisible iframes with RENDER_CONTENT_MODE=iframe (#8378)
b01dce2a6e added support for `RENDER_CONTENT_MODE=iframe` which used `onload="this.height=this.contentWindow.document.documentElement.scrollHeight"` to set the height of the iframe to the height of the embedded document.
Unfortunately, while this might have worked at some point, with `sandbox="allow-scripts"`, the document embedded in the iframe is counted as a cross-origin document, and browsers prevent any access to cross-origin documents.
[The solution](https://stackoverflow.com/questions/8223239/how-to-get-height-of-iframe-cross-domain) is to instead use `window.postMessage` to pass the height from the embedded document back to the embedding page.
Would appreciate a review of the privacy implications of this change—I feel it's probably "okay", but I'm not convinced my analysis is perfect.

Resolves #7586

Manual test:

1. Add the following snippet to your `app.ini`:
```ini
[markup.html]
ENABLED = true
FILE_EXTENSIONS = .html
RENDER_COMMAND = cat
RENDER_CONTENT_MODE = iframe
NEED_POSTPROCESS = false
```
2. Create a file in a repository with the name `test.html` and with the following contents:
```html
<!DOCTYPE html>

<html lang="en">
<head>
<meta charset="utf-8"/>
</head>
<body>
Hi from iframe!
Here is a random number: <script>document.write(Math.random())</script>.
</body>
</html>
```
3. Go to the file.
4. Observe the HTML is rendered and that the height is not larger than it needs to be (38 pixels).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8378
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Bojidar Marinov <bojidar.marinov.bg@gmail.com>
Co-committed-by: Bojidar Marinov <bojidar.marinov.bg@gmail.com>
2025-09-06 16:23:01 +02:00
..
asciicast chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
common fix various typos (#7690) 2025-04-28 06:46:29 +00:00
console Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
csv Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
external chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
markdown Markdown: generate unique per comment HTML IDs for footnotes and headers (#8880) 2025-08-27 08:14:52 +02:00
mdstripper Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
orgmode Update module github.com/alecthomas/chroma/v2 to v2.20.0 (forgejo) (#8783) 2025-08-06 01:30:20 +02:00
tests/repo/repo1_filepreview fix inline file preview for files with encoded URL, fix #5069 (#6525) 2025-01-30 08:20:05 +00:00
camo.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
camo_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
file_preview.go feat(ui): improve multiline file preview and anchor detection (#9145) 2025-09-04 22:51:22 +02:00
html.go fix(ui): unescape file names in commit hash links (#9182) 2025-09-06 13:19:43 +02:00
html_internal_test.go fix: make hash pattern more strict (#7775) 2025-05-05 05:29:55 +00:00
html_test.go fix(ui): unescape file names in commit hash links (#9182) 2025-09-06 13:19:43 +02:00
renderer.go fix: Fix invisible iframes with RENDER_CONTENT_MODE=iframe (#8378) 2025-09-06 16:23:01 +02:00
renderer_test.go Move IsReadmeFile* from modules/markup/ to modules/util (#22877) 2023-02-13 15:01:09 -05:00
sanitizer.go fix(ui): add missing lazy load attribute to images (#8246) 2025-06-25 18:31:03 +02:00
sanitizer_test.go fix(ui): add missing lazy load attribute to images (#8246) 2025-06-25 18:31:03 +02:00