fix

Author: wxiaoguang

modules/markup/render.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"code.gitea.io/gitea/modules/htmlutil"
 	"code.gitea.io/gitea/modules/markup/internal"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
@@ -164,23 +165,28 @@ func RenderString(ctx *RenderContext, content string) (string, error) {
 }
 
 func renderIFrame(ctx *RenderContext, output io.Writer) error {
-	// set height="0" ahead, otherwise the scrollHeight would be max(150, realHeight)
-	// at the moment, only "allow-scripts" is allowed for sandbox mode.
-	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
-	// TODO: when using dark theme, if the rendered content doesn't have proper style, the default text color is black, which is not easy to read
-	_, err := io.WriteString(output, fmt.Sprintf(`
-<iframe src="%s/%s/%s/render/%s/%s"
-name="giteaExternalRender"
-onload="this.height=giteaExternalRender.document.documentElement.scrollHeight"
-width="100%%" height="0" scrolling="no" frameborder="0" style="overflow: hidden"
-sandbox="allow-scripts"
-></iframe>`,
-		setting.AppSubURL,
+	src := fmt.Sprintf("%s/%s/%s/render/%s/%s", setting.AppSubURL,
 		url.PathEscape(ctx.RenderOptions.Metas["user"]),
 		url.PathEscape(ctx.RenderOptions.Metas["repo"]),
-		ctx.RenderOptions.Metas["RefTypeNameSubURL"],
-		url.PathEscape(ctx.RenderOptions.RelativePath),
-	))
+		util.PathEscapeSegments(ctx.RenderOptions.Metas["RefTypeNameSubURL"]),
+		util.PathEscapeSegments(ctx.RenderOptions.RelativePath),
+	)
+
+	defaultWidth := "100%"
+	defaultHeight := "300"
+
+	// ATTENTION! at the moment, only "allow-scripts" is allowed for sandbox mode.
+	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
+	iframe := htmlutil.HTMLFormat(`
+<iframe data-src="%s"
+	class="external-render-iframe"
+	sandbox="allow-scripts"
+	width="%s" height="%s"
+></iframe>
+`,
+		src, defaultWidth, defaultHeight)
+
+	_, err := io.WriteString(output, string(iframe))
 	return err
 }
 

web_src/css/index.css

@@ -44,6 +44,7 @@
 @import "./features/console.css";
 
 @import "./markup/content.css";
+@import "./markup/render.css";
 @import "./markup/codecopy.css";
 @import "./markup/codepreview.css";
 @import "./markup/asciicast.css";

web_src/css/markup/render.css

@@ -0,0 +1,3 @@
+.markup .external-render-iframe {
+
+}