Rally Software

I would like to create an app in Agile Central that shows a calendar from Smartsheet. I am trying to do this with a Custom HTML app. Can I use an iframe or object tag to embed HTML from an external source?

Hello,

You can add include custom html in the Custom HTML app.  I have included the following link to help guide you in the process.

Custom HTML | CA Agile Central Help 

I wanted to also make you aware of the following when using Custom HTML

MPORTANT: Enabling custom app pages allows users to create pages containing HTML, JavaScript, and other client-side scripting languages. Your subscription administrator must enable custom apps. Customers should consider and follow their own security policies and procedures when developing and implementing custom HTML pages. Improper implementation can expose your subscription to Cross Site Scripting (XSS) security vulnerabilities such as code injection and the manipulation of client-side applications by malicious users. Handle output properly by encoding or using an escaping sequence, validating user-supplied input, and using HTTPOnly cookie flag. For more information, please visit XSS (Cross Site Scripting) Prevention Cheat Sheet.

Please let us know if you have any other questions.

Thank you,

Christian 

I know I can put in custom HTML, and I have no problems getting results with basic HTML like an <h1> tag. When I try to use <iframe> or <object> to show something from an external site, nothing appears. Are there any limitations on using <iframe>, or is there a better HTML tag to use to try to show HTML from elsewhere?

Thanks

Hello,

I'm still in the process of researching the issue but with the cross domain browser security issues it is possible it will not work. Can you included a snippet of HTML so we can review it further?

Thank you,

Christian 

Thanks. I have a Custom HTML app. Here's HTML that I've pasted in:

<h1>Here is some external content in an iframe:</h1>
<IFRAME FRAMEBORDER=0 SRC="http://publish.smartsheet.com/243a1fef864b44e6b29715c07ac3d7ca"></IFRAME>
<h1>Here is some external content with an object tag:</h1>
<object type="text/html" data="http://publish.smartsheet.com/243a1fef864b44e6b29715c07ac3d7ca" > </object>

The result is that I can see the header text, but I can't see the external content that I'm trying to share.

MarkArmantrout1358389 yep, the reason is because trying to load content from an insecure site over HTTP is blocked from within a secured domain (HTTPS). No browser will allow that to happen unless you disable some security settings, which I would not recommend!

Here's what I get in the browser console when I try to use that HTML:

Mixed Content: The page at 'https://rally1.rallydev.com/#/18386785696d/custom/61134406806' was loaded over HTTPS, but requested an insecure resource 'http://publish.smartsheet.com/243a1fef864b44e6b29715c07ac3d7ca'. This request has been blocked; the content must be served over HTTPS.

Thank you, that's very helpful.

- Mark