-
AgilityAssoc.CanadaAsked on July 21, 2018 at 11:50 AM
Hi,
Is it possible to use <object> or<Embed> rather then<iFrame> in the text box field?
There are some serious Security concerns to consider with <iFrame>s.
Clickjacking is one kind of common iframe attack where hackers embed an invisible iframe into your document (or embed your document into their own malicious website) and use it to capture users' interactions. This is a common way to mislead users or steal sensitive data.
I suspect there things to consider with any method of embedding.
Are we protected from this type of iframe attack?
Can we use the sandbox attribute in iframes?
Regards, Robert
-
Vanessa_TReplied on July 21, 2018 at 1:52 PM
Is it possible to use <object> or<embed/> rather then<iframe> in the text box field?
Apologies, however, I am not sure I understand what you meant. The textbox fields are not using iFrame at all. Are you instead referring to something else?
I suspect there things to consider with any method of embedding.
Are we protected from this type of iframe attack?
JotForm has made every efforts in order to make our forms secure. As with anything else, related to embedding or not, there will always be those that would try to do malicious acts to deceive others.
If you would like to have added security/validations to your forms, you may want to try embedding the form by it's source code instead.
Can we use the sandbox attribute in iframes?
Yes you may, the very least that we would need though would be below:
sandbox="allow-same-origin allow-forms allow-popups allow-scripts"
However, to ensure that your form works correctly, I would suggest to use the default iFrame embed code instead.
-
AgilityAssoc.CanadaReplied on July 21, 2018 at 2:02 PM
Hi, I guess I have you somewhat confused.
In the text field you can use iframe to show something outside the form.
I was asking if one could use object or embed elements also.
And I am not able to embed my code at site. What I was referring to was using sandbox for the iframe in the text field.
I hope this helps you comprehend my questions.
Thank you, Robert
-
Victoria_KReplied on July 21, 2018 at 3:35 PM
Hello Robert,
Do you refer to the Text element on the screenshot below?
As far as I know this field accepts some html code + css styling, but rejects others for security reasons. I was not able to add any iframe through that field. Were you successful to embed custom pages through the Text element?
Apologies if I misunderstood your question.
-
AgilityAssoc.CanadaReplied on July 22, 2018 at 12:16 PM
Hi,
Yes you are quite right. iframes cannot be used and no I have not had success with it. What can be used is <object> but it has extreme limitations. Unlike iframe and embed, it remains after closing. I don't know how it might be used.
I think my questions have been answered so I thank you all.
Regards, Robert
- Templates
- Integrations
- INTEGRATIONS
- See 100+ integrations
- FEATURED INTEGRATIONS
PayPal- Slack
- Google Sheets
- Mailchimp
- Zoom
- Dropbox
- Google Calendar
- Hubspot
- Salesforce
- See more Integrations
- Products
- PRODUCTS
- Form Builder
- Jotform Enterprise
- Jotform Apps
- Store Builder
- Jotform Tables
- Jotform Inbox
- Jotform Mobile App
- Jotform Approvals
- Report Builder
- Smart PDF Forms
- PDF Editor
- Jotform Sign
- Jotform for Salesforce Discover Now
- Support
