starred/SuiteCRM-SuiteCRM

Fork 0

mirror of https://github.com/SuiteCRM/SuiteCRM.git synced 2026-03-02 19:16:58 -05:00

Recent Code Addition Causes internal iFrame URL's to stop working #5064

New issue

Open

opened 2026-02-20 16:29:06 -05:00 by deekerman · 16 comments

deekerman commented

2026-02-20 16:29:06 -05:00

Owner

Originally created by @pstevens71 on GitHub (Sep 1, 2023).

Issue

I normally create entry points for custom graphs or reports. The entry points are by nature an internal link like:
myurl.com/?entryPoint=myentrypoint

I would use iframe dashlet to insert them on the dashboard. However, (I think in a recent update) this code was added to: /modules/Home/Dashlets/iFrameDashlet/iFrameDashlet.php

if (isSelfRequest($this->url)) { $this->url = ''; }

It will always return true if it is an internal URL like an entry point end then set $this->url to blank!

Then the dashlet won't have a URL and won't work. Not sure why this was added or what it's purpose is, but commenting it out seems to fix the issue.

Expected Behavior

create an iframe dashlet
paste in an internal URL (like to an entry point)
And it should render the page inside the dashlet.

Actual Behavior

The url is blanked out by the code listed above and only a message:" Incorrect website location is specified" displays

Possible Fix

Unless there is a good reason for this remove the 3 lines of code.

Steps to Reproduce

Create an entry point (or any internal URL)
Add a dashlet
Add an iFrame dashlet
It does not work you get the error message

Context

I'm trying to embed iFrame of custom entryPoints, which worked previously.

Your Environment

SuiteCRM Version used: 7.13.3 (working 7.12.11)
Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Any browser, tested chrome and Edge.
Environment name and version (e.g. MySQL, PHP 7): PHP 7.4
Operating System and version (e.g Ubuntu 16.04):

Originally created by @pstevens71 on GitHub (Sep 1, 2023).     #### Issue   I normally create entry points for custom graphs or reports. The entry points are by nature an internal link like: myurl.com/?entryPoint=myentrypoint I would use iframe dashlet to insert them on the dashboard. However, (I think in a recent update) this code was added to: /modules/Home/Dashlets/iFrameDashlet/iFrameDashlet.php `if (isSelfRequest($this->url)) { $this->url = ''; }` It will always return true if it is an internal URL like an entry point end then set $this->url to blank! Then the dashlet won't have a URL and won't work. Not sure why this was added or what it's purpose is, but commenting it out seems to fix the issue. #### Expected Behavior  create an iframe dashlet paste in an internal URL (like to an entry point) And it should render the page inside the dashlet. #### Actual Behavior   The url is blanked out by the code listed above and only a message:" Incorrect website location is specified" displays #### Possible Fix  Unless there is a good reason for this remove the 3 lines of code. #### Steps to Reproduce   1. Create an entry point (or any internal URL) 2. Add a dashlet 3. Add an iFrame dashlet 4. It does not work you get the error message #### Context   I'm trying to embed iFrame of custom entryPoints, which worked previously. #### Your Environment  * SuiteCRM Version used: 7.13.3 (working 7.12.11) * Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Any browser, tested chrome and Edge. * Environment name and version (e.g. MySQL, PHP 7): PHP 7.4 * Operating System and version (e.g Ubuntu 16.04):

deekerman added the

labels

2026-02-20 16:29:06 -05:00

deekerman commented

2026-02-20 16:29:07 -05:00

Author

Owner

@SuiteBot commented on GitHub (Sep 1, 2023):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/how-to-add-other-charts-in-report-charts-for-ex-line-chart-bubble-chart-gauge-chart-funnel-chart-etc/61843/33

@SuiteBot commented on GitHub (Sep 1, 2023): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/how-to-add-other-charts-in-report-charts-for-ex-line-chart-bubble-chart-gauge-chart-funnel-chart-etc/61843/33

deekerman commented

2026-02-20 16:29:07 -05:00

Author

Owner

@chris001 commented on GitHub (Sep 1, 2023):

If you go to the code and click "Blame" it tells you when the code was added (7.13.2) and who added, for this one @jack7anderson7 if you look at 7.13.2 release notes or the release tag, it was probably added to fix a particular issue.

@chris001 commented on GitHub (Sep 1, 2023): If you go to the code and click "`Blame`" it tells you when the code was added (7.13.2) and who added, for this one @jack7anderson7 if you look at 7.13.2 release notes or the release tag, it was probably added to fix a particular issue. ![iFrameDashlet](https://github.com/salesagility/SuiteCRM/assets/259416/1430f2a0-cb12-45f7-8f2f-bba20af4c1be)

deekerman commented

2026-02-20 16:29:07 -05:00

Author

Owner

@pstevens71 commented on GitHub (Sep 1, 2023):

@chris001 cool! Thanks for taking the time to teach me!

@pstevens71 commented on GitHub (Sep 1, 2023): @chris001 cool! Thanks for taking the time to teach me!

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@pstevens71 commented on GitHub (Sep 4, 2023):

Ok I think this code was added to prevent malicious code from being inserted in an iframe. I was thinking we could add an exception for custom entry points (I don't really know what the exact security issue was, just guessing, so if it didn't have to do with custom entry points....).

Add a function in /include/utils.php to check for custom entry points like this:

function getCustomEntryPoints() {
    $customEntryPoints = [];
    // Specify the path to the entry_point_registry.ext.php file
    $entryPointRegistryPath = 'custom/application/Ext/EntryPointRegistry/entry_point_registry.ext.php';
    if (file_exists($entryPointRegistryPath)) {
        // Include the file
        include($entryPointRegistryPath);
        // Check if $entry_point_registry is an array
        if (isset($entry_point_registry) && is_array($entry_point_registry)) {
            // Iterate through each entry point definition
            foreach ($entry_point_registry as $entryPointName => $entryPointData) {
                // Add the entry point name to the custom entry points list
                $customEntryPoints[] = $entryPointName;
            }
        }
    }
    return $customEntryPoints;
}

Then we could modify the getCustomEntryPoints() function to return false if the URL matches one of the custom entry point URL's like this:

function isSelfRequest($endpoint) : bool {
    $domain = 'localhost';
    if (isset($_SERVER["HTTP_HOST"])) {
        $domain = $_SERVER["HTTP_HOST"];
    }
    $siteUrl = SugarConfig::getInstance()->get('site_url');
    if (empty($siteUrl)){
        $siteUrl = '';
    }
    // Get the list of valid custom entry points
    $customEntryPoints = getCustomEntryPoints();
    // Check if the endpoint matches a URL of the form "$siteURL/?entryPoint={entry_point_name}"
    $entryPointPattern = "/^" . preg_quote($siteUrl, '/') . "\/\?entryPoint=(" . implode('|', $customEntryPoints) . ")$/i";
    if (preg_match($entryPointPattern, $endpoint)) {
        return false; // It matches a valid custom entry point URL
    }
    // Check if the endpoint contains the domain or site URL
    return stripos($endpoint, $domain) !== false || stripos($endpoint, $siteUrl) !== false;
}

I've tested the above and it does not allow embedding of internal URL's in iframe (which I think was the intent) and it still allows for the embedding of registered entry points. Hoping @jack7anderson7 will chime in on this one. If it makes sense I'll enter a PR.

@pstevens71 commented on GitHub (Sep 4, 2023): Ok I think this code was added to prevent malicious code from being inserted in an iframe. I was thinking we could add an exception for custom entry points (I don't really know what the exact security issue was, just guessing, so if it didn't have to do with custom entry points....). Add a function in /include/utils.php to check for custom entry points like this: ``` function getCustomEntryPoints() { $customEntryPoints = []; // Specify the path to the entry_point_registry.ext.php file $entryPointRegistryPath = 'custom/application/Ext/EntryPointRegistry/entry_point_registry.ext.php'; if (file_exists($entryPointRegistryPath)) { // Include the file include($entryPointRegistryPath); // Check if $entry_point_registry is an array if (isset($entry_point_registry) && is_array($entry_point_registry)) { // Iterate through each entry point definition foreach ($entry_point_registry as $entryPointName => $entryPointData) { // Add the entry point name to the custom entry points list $customEntryPoints[] = $entryPointName; } } } return $customEntryPoints; } ``` Then we could modify the getCustomEntryPoints() function to return false if the URL matches one of the custom entry point URL's like this: ``` function isSelfRequest($endpoint) : bool { $domain = 'localhost'; if (isset($_SERVER["HTTP_HOST"])) { $domain = $_SERVER["HTTP_HOST"]; } $siteUrl = SugarConfig::getInstance()->get('site_url'); if (empty($siteUrl)){ $siteUrl = ''; } // Get the list of valid custom entry points $customEntryPoints = getCustomEntryPoints(); // Check if the endpoint matches a URL of the form "$siteURL/?entryPoint={entry_point_name}" $entryPointPattern = "/^" . preg_quote($siteUrl, '/') . "\/\?entryPoint=(" . implode('|', $customEntryPoints) . ")$/i"; if (preg_match($entryPointPattern, $endpoint)) { return false; // It matches a valid custom entry point URL } // Check if the endpoint contains the domain or site URL return stripos($endpoint, $domain) !== false || stripos($endpoint, $siteUrl) !== false; } ``` I've tested the above and it does not allow embedding of internal URL's in iframe (which I think was the intent) and it still allows for the embedding of registered entry points. Hoping @jack7anderson7 will chime in on this one. If it makes sense I'll enter a PR.

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@SuiteBot commented on GitHub (Sep 4, 2023):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/how-to-add-other-charts-in-report-charts-for-ex-line-chart-bubble-chart-gauge-chart-funnel-chart-etc/61843/39

@SuiteBot commented on GitHub (Sep 4, 2023): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/how-to-add-other-charts-in-report-charts-for-ex-line-chart-bubble-chart-gauge-chart-funnel-chart-etc/61843/39

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@SuiteBot commented on GitHub (Sep 20, 2023):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/home-page-dashlet-url-not-getting-current-link-suitecrm-8/89755/4

@SuiteBot commented on GitHub (Sep 20, 2023): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/home-page-dashlet-url-not-getting-current-link-suitecrm-8/89755/4

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@SuiteBot commented on GitHub (Dec 14, 2023):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/third-party-report-writer-compatibility/91230/13

@SuiteBot commented on GitHub (Dec 14, 2023): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/third-party-report-writer-compatibility/91230/13

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@SuiteBot commented on GitHub (Jan 26, 2024):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/entry-points-in-suitecrm-8/91675/2

@SuiteBot commented on GitHub (Jan 26, 2024): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/entry-points-in-suitecrm-8/91675/2

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@chris001 commented on GitHub (Jan 26, 2024):

@pstevens71 Did you make a PR for your solution? If not, you should, it looks good to me.

@chris001 commented on GitHub (Jan 26, 2024): @pstevens71 Did you make a PR for your solution? If not, you should, it looks good to me.

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@shubham-pawar commented on GitHub (Feb 9, 2024):

@chris001, I used code suggested by Paul, but it did not work for me. I am still unable to add web URL dashlets to home page. Could you please provide your code file and steps to implement it? 👍

@shubham-pawar commented on GitHub (Feb 9, 2024): @chris001, I used code suggested by Paul, but it did not work for me. I am still unable to add web URL dashlets to home page. Could you please provide your code file and steps to implement it? 👍

deekerman commented

2026-02-20 16:29:08 -05:00

Author

Owner

@chris001 commented on GitHub (Feb 10, 2024):

@chris001, I used code suggested by Paul, but it did not work for me. I am still unable to add web URL dashlets to home page. Could you please provide your code file and steps to implement it? 👍

Hi @shubham-pawar Paul coded functions to allow a dashlet to display a URL which is registered as an "entryPoint" into Suite (internal Suite URL). Paul's code does not allow any external web URL, because those aren't registered as an entryPoint to an internal Suite URL. To allow any external web URL to display in dashlet, you could do it like this, for example: 1) set in config_override.php an array of web URL which you trust & allow to display inside Suite dashlet, 2) check the URL in isSelfRequest($endpoint) : bool, and return true when the URL is matching one of the allowed URL in the array in config_override.php.

@chris001 commented on GitHub (Feb 10, 2024): > @chris001, I used code suggested by Paul, but it did not work for me. I am still unable to add web URL dashlets to home page. Could you please provide your code file and steps to implement it? 👍 Hi @shubham-pawar Paul coded functions to allow a dashlet to display a URL which is [registered as an "entryPoint" into Suite](https://docs.suitecrm.com/developer/entry-points/) (internal Suite URL). Paul's code does not allow any external web URL, because those aren't registered as an `entryPoint` to an internal Suite URL. To allow any external web URL to display in dashlet, you could do it like this, for example: 1) set in `config_override.php` an array of web URL which you trust & allow to display inside Suite dashlet, 2) check the URL in `isSelfRequest($endpoint) : bool`, and return `true` when the URL is matching one of the allowed URL in the array in `config_override.php`.

deekerman commented

2026-02-20 16:29:09 -05:00

Author

Owner

@shubham-pawar commented on GitHub (Feb 14, 2024):

@chris001, I will give it a try some day and update you. Thank you! If you provide code too, it will be helpful.

@shubham-pawar commented on GitHub (Feb 14, 2024): @chris001, I will give it a try some day and update you. Thank you! If you provide code too, it will be helpful.

deekerman commented

2026-02-20 16:29:09 -05:00

Author

Owner

@shubham-pawar commented on GitHub (Feb 23, 2024):

@chris001

Do you mean something like below in the config_override.php?

$sugar_config['trusted_urls'] = 'https://example.com,https://subdomain.example.com';

@shubham-pawar commented on GitHub (Feb 23, 2024): @chris001 Do you mean something like below in the `config_override.php`? `$sugar_config['trusted_urls'] = 'https://example.com,https://subdomain.example.com';`

deekerman commented

2026-02-20 16:29:09 -05:00

Author

Owner

@chris001 commented on GitHub (Feb 24, 2024):

That could work. In isSelfRequest() you would check is the URL in the trusted URLs list.

@chris001 commented on GitHub (Feb 24, 2024): That could work. In `isSelfRequest()` you would check is the URL in the trusted URLs list.

deekerman commented

2026-02-20 16:29:09 -05:00

Author

Owner

@SuiteBot commented on GitHub (Mar 28, 2024):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/getting-some-error-when-i-try-to-add-dashlets/91504/16

@SuiteBot commented on GitHub (Mar 28, 2024): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/getting-some-error-when-i-try-to-add-dashlets/91504/16

deekerman commented

2026-02-20 16:29:09 -05:00

Author

Owner

@SuiteBot commented on GitHub (May 27, 2025):

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/getting-some-error-when-i-try-to-add-dashlets/91504/24

@SuiteBot commented on GitHub (May 27, 2025): This issue has been mentioned on **SuiteCRM**. There might be relevant details there: https://community.suitecrm.com/t/getting-some-error-when-i-try-to-add-dashlets/91504/24