External without iframe

[fxcb]

With a new configuration select, users can choose to show the external content in the default iframe or in the self window

[PVince81]

Thanks for the PR.

@Peter-Prochaska any security implications ? I guess it's fine to give the admin control over this as I'd expect admins to be responsible people for their own systems. External sites cannot be configured by regular users for others.

cc @pmaier1 for this feature extension

[peterprochaska]

Oh Yes. I see strip_tag is used, which will delete all tags like <script>. But what is with attributes?
If I set the target to " onselect="javascript:some xss-code"? Then the code will be executed after selecting this option. htmlspecialchars with ENT_QUOTE or some internal escaping function should be used.
And this app is only for admins?

[pmaier1]

cc @pmaier1 for this feature extension

Cool stuff, thanks! Would be nice to continue the app in a more secure way. @Peter-Prochaska's call

[pirate]

The valid targets are: _blank, _parent, _self, and _top, rather than trying to strip XSS, can we just check to make sure the input is one of those values and error if it isn't.
We don't need _parent, we can just use _top since only one iframe level exists in ownCloud External Sites.

The nice thing about _blank is that it replaces the "Bookmarks" app for companies that only have a few major bookmarks that everyone shares, e.g. "Email", "Chat", and "Management Console". Instead of sharing bookmarks they can just put these core sites in the ownCloud menu and that becomes the hub for everyone's company services.

I finished this PR with the proper XSS validation here: #2221

That PR should have everything, let me know if I missed something. Sorry for taking over the PR @fcasanellas, I'm just eager to get this feature out since I have some users waiting for it.