We've been a bit concerned about the interactions of various pieces of the wiki in producing safe HTML+SVG output, plus adding dynamic rendering on top. It seems worth investigating a rendering that places all the "scary bits" inside a sandboxed <iframe> element.
Spike parameters:
- can emit the chart SVG plus echarts JS loader in a wrapper HTML document, in <iframe srcdoc="..."> attribute for minimal changes to architecture
- sandboxing attributes on iframe can be used to block access to the parent document, lock down network etc. we'd need to allow js and may want to allow network for loading the js
Considerations:
- HTML page size implications? (additional escaping, wrapper code)
- Do we have to wrap the echarts .js or can we reference it without still exposing security issues?
- Loading time implications? iframes may be heavier on resources than inline svg in the same document
- Ease of integration: any forseen problems due to the intermediary iframe vs the rendering and interactivity?