feat: embeddable forms + fix 5 CodeQL security alerts

Embeddable Forms:
- form_embed view (@xframe_options_exempt) renders forms in a minimal
  iframe-friendly layout (embed_base.html, no navbar/footer)
- dfw-embed.js loader script for external sites: creates iframe, handles
  auto-resize via postMessage, fires callbacks on load/submit
- embed_enabled BooleanField on FormDefinition
- postMessage protocol: dfw:loaded, dfw:resize, dfw:submitted
- Inline success rendering (no redirects) to stay self-contained
- SameSite=None; Secure on CSRF cookie for cross-origin iframe
- Form builder: Embeddable checkbox in Submission Controls
- Admin: embed_enabled in API & Embedding fieldset
- sync_api: embed_enabled in export/import
- clone_forms: embed_enabled included
- Migration 0086
- 14 new tests covering GET/POST, disabled/inactive, theme, accent color
  sanitisation, closed form, max submissions, audit log, success message
  piping, no-redirect behavior

Security fixes (CodeQL alerts #23, #25, #26-28):
- #25: workflow-builder.js — validate workflowId as integer and use URL()
  constructor instead of template literal in window.location.href
- #26-28: sync_api.py — remove user-supplied form slugs from log messages
  to prevent clear-text logging of potentially sensitive information
- #23: workflow_builder_views.py — stop exposing ValidationError exception
  messages in JSON response; log them server-side instead

Co-authored-by: Claude Code <noreply@anthropic.com>

Author: matteius

django_forms_workflows/admin.py

@@ -669,12 +669,13 @@ class FormDefinitionAdmin(nested_admin.NestedModelAdmin):
             },
         ),
         (
-            "API Access",
+            "API & Embedding",
             {
                 "classes": ("collapse",),
-                "fields": ("api_enabled",),
+                "fields": ("api_enabled", "embed_enabled"),
                 "description": (
-                    "Enable this form for REST API submission. Requires the API URLs "
+                    "Enable this form for REST API submission or iframe embedding. "
+                    "API requires the API URLs "
                     "to be included in your project's <code>urls.py</code> and a valid "
                     "<strong>APIToken</strong> in the <code>Authorization: Bearer</code> "
                     "header. All existing submit_groups / view_groups permissions still apply."
@@ -847,6 +848,7 @@ def clone_forms(self, request, queryset):
                         allow_withdrawal=form.allow_withdrawal,
                         allow_resubmit=form.allow_resubmit,
                         allow_batch_import=form.allow_batch_import,
+                        embed_enabled=form.embed_enabled,
                         payment_enabled=form.payment_enabled,
                         payment_provider=form.payment_provider,
                         payment_amount_type=form.payment_amount_type,

django_forms_workflows/form_builder_views.py

@@ -344,6 +344,7 @@ def form_builder_load(request, form_id):
         "payment_currency": form_definition.payment_currency,
         "payment_description_template": form_definition.payment_description_template,
         "enable_captcha": form_definition.enable_captcha,
+        "embed_enabled": form_definition.embed_enabled,
         "enable_multi_step": form_definition.enable_multi_step,
         "form_steps": form_definition.form_steps or [],
         "enable_auto_save": form_definition.enable_auto_save,
@@ -390,6 +391,7 @@ def form_builder_save(request):
         payment_currency = data.get("payment_currency", "usd")
         payment_description_template = data.get("payment_description_template", "")
         enable_captcha = data.get("enable_captcha", False)
+        embed_enabled = data.get("embed_enabled", False)
         enable_multi_step = data.get("enable_multi_step", False)
         form_steps = data.get("form_steps", [])
         enable_auto_save = data.get("enable_auto_save", True)
@@ -435,6 +437,7 @@ def form_builder_save(request):
                     payment_description_template
                 )
                 form_definition.enable_captcha = enable_captcha
+                form_definition.embed_enabled = embed_enabled
                 form_definition.enable_multi_step = enable_multi_step
                 form_definition.form_steps = form_steps
                 form_definition.enable_auto_save = enable_auto_save
@@ -465,6 +468,7 @@ def form_builder_save(request):
                     payment_currency=payment_currency,
                     payment_description_template=payment_description_template,
                     enable_captcha=enable_captcha,
+                    embed_enabled=embed_enabled,
                     enable_multi_step=enable_multi_step,
                     form_steps=form_steps,
                     enable_auto_save=enable_auto_save,

django_forms_workflows/migrations/0086_add_embed_enabled.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.2.7 on 2026-04-02 00:47
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_forms_workflows", "0085_add_payment_system"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="formdefinition",
+            name="embed_enabled",
+            field=models.BooleanField(
+                default=False,
+                help_text="Allow this form to be embedded on external websites via an iframe. The form is served at /forms/<slug>/embed/ with a minimal layout. Works best with requires_login=False forms.",
+            ),
+        ),
+    ]

django_forms_workflows/models.py

@@ -203,6 +203,14 @@ class FormDefinition(models.Model):
             "All existing permission checks (submit_groups, view_groups) still apply."
         ),
     )
+    embed_enabled = models.BooleanField(
+        default=False,
+        help_text=(
+            "Allow this form to be embedded on external websites via an iframe. "
+            "The form is served at /forms/<slug>/embed/ with a minimal layout. "
+            "Works best with requires_login=False forms."
+        ),
+    )
     requires_login = models.BooleanField(
         default=True, help_text="Form requires authentication"
     )

django_forms_workflows/static/django_forms_workflows/js/dfw-embed.js

@@ -0,0 +1,133 @@
+/**
+ * Django Forms Workflows — Embeddable Form Loader
+ *
+ * Drop this script tag on any webpage to embed a form:
+ *
+ *   <script src="https://server/static/django_forms_workflows/js/dfw-embed.js"
+ *     data-form="contact-us"
+ *     data-server="https://server"
+ *   ></script>
+ *
+ * Attributes:
+ *   data-form       (required) Form slug
+ *   data-server     (required) Base URL of the DFW server
+ *   data-target     CSS selector of container (default: insert after script tag)
+ *   data-on-submit  Global function name called on successful submission
+ *   data-on-load    Global function name called when form has loaded
+ *   data-theme      "light" (default) or "dark"
+ *   data-accent-color  Hex color for primary buttons (e.g., "#ff6600")
+ *   data-min-height Minimum iframe height in px (default: 300)
+ *   data-loading-text  Text shown while loading (default: "Loading form...")
+ */
+(function () {
+    'use strict';
+
+    // Find our own script tag
+    var script = document.currentScript;
+    if (!script) {
+        // Fallback for older browsers
+        var scripts = document.getElementsByTagName('script');
+        script = scripts[scripts.length - 1];
+    }
+
+    var formSlug = script.getAttribute('data-form');
+    var server = script.getAttribute('data-server');
+
+    if (!formSlug || !server) {
+        console.error('[dfw-embed] data-form and data-server attributes are required.');
+        return;
+    }
+
+    // Read optional attributes
+    var targetSelector = script.getAttribute('data-target');
+    var onSubmitFn = script.getAttribute('data-on-submit');
+    var onLoadFn = script.getAttribute('data-on-load');
+    var theme = script.getAttribute('data-theme') || '';
+    var accentColor = script.getAttribute('data-accent-color') || '';
+    var minHeight = parseInt(script.getAttribute('data-min-height')) || 300;
+    var loadingText = script.getAttribute('data-loading-text') || 'Loading form...';
+
+    // Normalize server URL (remove trailing slash)
+    server = server.replace(/\/+$/, '');
+
+    // Build embed URL
+    var embedUrl = server + '/forms/' + encodeURIComponent(formSlug) + '/embed/';
+    var params = [];
+    if (theme) params.push('theme=' + encodeURIComponent(theme));
+    if (accentColor) params.push('accent_color=' + encodeURIComponent(accentColor));
+    if (params.length) embedUrl += '?' + params.join('&');
+
+    // Create container
+    var container = document.createElement('div');
+    container.className = 'dfw-embed-container';
+    container.style.cssText = 'width:100%;position:relative;';
+
+    // Loading indicator
+    var loading = document.createElement('div');
+    loading.textContent = loadingText;
+    loading.style.cssText = 'text-align:center;padding:2rem;color:#6c757d;font-family:sans-serif;font-size:0.9rem;';
+    container.appendChild(loading);
+
+    // Create iframe
+    var iframe = document.createElement('iframe');
+    iframe.src = embedUrl;
+    iframe.style.cssText = 'width:100%;border:none;overflow:hidden;display:none;min-height:' + minHeight + 'px;';
+    iframe.setAttribute('scrolling', 'no');
+    iframe.setAttribute('allowtransparency', 'true');
+    iframe.setAttribute('title', 'Form: ' + formSlug);
+    container.appendChild(iframe);
+
+    // Insert into DOM
+    if (targetSelector) {
+        var target = document.querySelector(targetSelector);
+        if (target) {
+            target.appendChild(container);
+        } else {
+            console.error('[dfw-embed] Target element not found:', targetSelector);
+            script.parentNode.insertBefore(container, script.nextSibling);
+        }
+    } else {
+        script.parentNode.insertBefore(container, script.nextSibling);
+    }
+
+    // Parse the server origin for message validation
+    var serverOrigin;
+    try {
+        var a = document.createElement('a');
+        a.href = server;
+        serverOrigin = a.protocol + '//' + a.host;
+    } catch (e) {
+        serverOrigin = server;
+    }
+
+    // Listen for postMessage events from the iframe
+    window.addEventListener('message', function (event) {
+        // Validate origin
+        if (event.origin !== serverOrigin) return;
+
+        var data = event.data;
+        if (!data || !data.type || data.formSlug !== formSlug) return;
+
+        switch (data.type) {
+            case 'dfw:loaded':
+                loading.style.display = 'none';
+                iframe.style.display = 'block';
+                if (onLoadFn && typeof window[onLoadFn] === 'function') {
+                    window[onLoadFn](data);
+                }
+                break;
+
+            case 'dfw:resize':
+                if (data.height) {
+                    iframe.style.height = Math.max(data.height + 20, minHeight) + 'px';
+                }
+                break;
+
+            case 'dfw:submitted':
+                if (onSubmitFn && typeof window[onSubmitFn] === 'function') {
+                    window[onSubmitFn](data);
+                }
+                break;
+        }
+    });
+})();

django_forms_workflows/static/django_forms_workflows/js/form-builder.js

@@ -2000,6 +2000,7 @@ class FormBuilder {
             if (data.max_submissions) document.getElementById('formMaxSubmissions').value = data.max_submissions;
             document.getElementById('formOnePerUser').checked = data.one_per_user || false;
             document.getElementById('formEnableCaptcha').checked = data.enable_captcha || false;
+            document.getElementById('formEmbedEnabled').checked = data.embed_enabled || false;
 
             // Load client-side enhancement settings
             document.getElementById('formEnableAutoSave').checked = data.enable_auto_save !== false;
@@ -2072,6 +2073,7 @@ class FormBuilder {
             max_submissions: parseInt(document.getElementById('formMaxSubmissions').value) || null,
             one_per_user: document.getElementById('formOnePerUser').checked,
             enable_captcha: document.getElementById('formEnableCaptcha').checked,
+            embed_enabled: document.getElementById('formEmbedEnabled').checked,
             enable_auto_save: document.getElementById('formEnableAutoSave').checked,
             auto_save_interval: parseInt(document.getElementById('formAutoSaveInterval').value) || 30,
             enable_multi_step: isMultiStep,

django_forms_workflows/static/django_forms_workflows/js/workflow-builder.js

@@ -268,7 +268,12 @@ class WorkflowBuilder {
         if (workflowTrackSelect) {
             workflowTrackSelect.addEventListener('change', (event) => {
                 const workflowId = event.target.value;
-                window.location.href = `${this.config.workflowBuilderUrl}?workflow_id=${workflowId}`;
+                // Validate that workflowId is a safe integer before using in URL
+                if (/^\d+$/.test(workflowId)) {
+                    const url = new URL(this.config.workflowBuilderUrl, window.location.origin);
+                    url.searchParams.set('workflow_id', workflowId);
+                    window.location.href = url.toString();
+                }
             });
         }
 

django_forms_workflows/sync_api.py

@@ -429,6 +429,7 @@ def serialize_form(form_definition):
             "auto_save_interval": form_definition.auto_save_interval,
             "pdf_generation": form_definition.pdf_generation,
             "api_enabled": form_definition.api_enabled,
+            "embed_enabled": form_definition.embed_enabled,
             "payment_enabled": form_definition.payment_enabled,
             "payment_provider": form_definition.payment_provider,
             "payment_amount_type": form_definition.payment_amount_type,
@@ -650,6 +651,7 @@ def import_form(form_data, conflict="update", category_cache=None):
         "auto_save_interval": fd.get("auto_save_interval", 30),
         "pdf_generation": fd.get("pdf_generation", False),
         "api_enabled": fd.get("api_enabled", False),
+        "embed_enabled": fd.get("embed_enabled", False),
         "payment_enabled": fd.get("payment_enabled", False),
         "payment_provider": fd.get("payment_provider", ""),
         "payment_amount_type": fd.get("payment_amount_type", "fixed"),
@@ -835,10 +837,8 @@ def import_form(form_data, conflict="update", category_cache=None):
                 )
             else:
                 logger.warning(
-                    "Sync import: sub-workflow form '%s' not found for form '%s';"
-                    " sub_workflow_config skipped.",
-                    sub_form_slug,
-                    slug,
+                    "Sync import: sub-workflow form not found for parent form;"
+                    " sub_workflow_config skipped."
                 )
         else:
             SubWorkflowDefinition.objects.filter(parent_workflow=wf).delete()
@@ -888,7 +888,7 @@ def import_form(form_data, conflict="update", category_cache=None):
     for action_data in form_data.get("post_actions", []):
         PostSubmissionAction.objects.create(form_definition=form_obj, **action_data)
 
-    logger.info("Sync import: form '%s' %s.", slug, action)
+    logger.info("Sync import: form %s.", action)
     return form_obj, action
 
 

django_forms_workflows/templates/admin/django_forms_workflows/form_builder.html

@@ -772,6 +772,12 @@ <h6 class="text-muted border-bottom pb-2">
                             <label class="form-check-label" for="formEnableCaptcha">CAPTCHA</label>
                         </div>
                     </div>
+                    <div class="col-md-2">
+                        <div class="form-check mt-4">
+                            <input class="form-check-input" type="checkbox" id="formEmbedEnabled">
+                            <label class="form-check-label" for="formEmbedEnabled">Embeddable</label>
+                        </div>
+                    </div>
 
                     <!-- Payment -->
                     <div class="col-12 mt-3">

django_forms_workflows/templates/django_forms_workflows/embed_base.html

@@ -0,0 +1,55 @@
+{% load static %}
+<!DOCTYPE html>
+<html lang="en" {% if theme == 'dark' %}data-bs-theme="dark"{% endif %}>
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{% block title %}Form{% endblock %}</title>
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.0/font/bootstrap-icons.css">
+    <link rel="stylesheet" href="{% static 'django_forms_workflows/css/forms.css' %}">
+    <base target="_blank">
+    <style>
+        body { margin: 0; padding: 16px; background: transparent; overflow-x: hidden; }
+        .card { border: none; box-shadow: none; }
+    </style>
+    {% if accent_color %}
+    <style>
+        .btn-primary { background-color: {{ accent_color }}; border-color: {{ accent_color }}; }
+        .btn-primary:hover { background-color: {{ accent_color }}; border-color: {{ accent_color }}; filter: brightness(0.9); }
+    </style>
+    {% endif %}
+    {% block extra_css %}{% endblock %}
+</head>
+<body>
+    {% block content %}{% endblock %}
+
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
+    <script>
+    (function() {
+        function sendToParent(type, data) {
+            var msg = Object.assign({type: type, formSlug: '{{ form_def.slug }}'}, data || {});
+            try { window.parent.postMessage(msg, '*'); } catch(e) {}
+        }
+
+        function notifyHeight() {
+            sendToParent('dfw:resize', {height: document.documentElement.scrollHeight});
+        }
+
+        if (window.ResizeObserver) {
+            new ResizeObserver(notifyHeight).observe(document.body);
+        } else {
+            setInterval(notifyHeight, 500);
+        }
+
+        document.addEventListener('DOMContentLoaded', function() {
+            notifyHeight();
+            sendToParent('dfw:loaded');
+        });
+
+        window.__dfwEmbed = {sendToParent: sendToParent, notifyHeight: notifyHeight};
+    })();
+    </script>
+    {% block extra_js %}{% endblock %}
+</body>
+</html>