opensensor
diff --git a/‎CHANGELOG.md‎
Lines changed: 29 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 12 additions & 0 deletions b/‎README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎django_forms_workflows/static/django_forms_workflows/js/dfw-embed.js‎
Lines changed: 17 additions & 13 deletions b/‎django_forms_workflows/static/django_forms_workflows/js/dfw-embed.js‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎django_forms_workflows/templates/admin/django_forms_workflows/formdef_change_form.html‎
Lines changed: 173 additions & 4 deletions b/‎django_forms_workflows/templates/admin/django_forms_workflows/formdef_change_form.html‎
Lines changed: 173 additions & 4 deletions
@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.59.0] - 2026-04-02
+
+### Added
+- **Embeddable Forms** — Embed DFW forms on any external website via iframe:
+  - `dfw-embed.js` loader script: creates responsive iframe with auto-resize via `postMessage` (`dfw:loaded`, `dfw:resize`, `dfw:submitted`), configurable theme, accent color, callbacks.
+  - `embed_base.html` minimal layout (no navbar/footer) + `form_embed.html` with full field JS support + `embed_success.html` inline success state.
+  - `form_embed` view with `@xframe_options_exempt`, `SameSite=None; Secure` CSRF cookie, rate limiting for anonymous submissions, submission controls (close date, max submissions).
+  - `embed_enabled` BooleanField on `FormDefinition`.
+  - Admin: embed code panel on FormDefinition change form with three tabs (JS Embed, iframe Fallback, WordPress Shortcode) with copy-to-clipboard buttons.
+  - Form builder: "Embeddable" checkbox in Submission Controls.
+  - sync_api export/import and clone support.
+  - Migration `0086`.
+- **WordPress Plugin** (`wordpress/dfw-forms/`):
+  - `[dfw_form]` shortcode with full attribute sanitization.
+  - Gutenberg block (apiVersion 3, no build step) with live preview and sidebar controls.
+  - Settings page at Settings > DFW Forms with server URL and "Test Connection" button.
+  - JS and iframe embed modes; WordPress.com compatibility notes.
+
+### Fixed
+- **CodeQL #25**: DOM text reinterpreted as HTML in workflow-builder.js — validate workflowId and use `URL()` constructor.
+- **CodeQL #26-28**: Clear-text logging of form slugs in sync_api.py — removed user-supplied values from log messages.
+- **CodeQL #23**: Information exposure via ValidationError in workflow_builder_views.py — log server-side only, return generic error.
+
+### Documentation
+- `docs/EMBEDDING.md` — full embedding guide: JS loader, iframe fallback, WordPress plugin, security considerations (CORS, CSP, CSRF, rate limiting).
+
+### Tests
+- 14 new embed tests: GET/POST, disabled/inactive, theme, accent color sanitisation, closed form, max submissions, audit log, success message piping, no-redirect behavior.
+
 ## [0.58.0] - 2026-04-02
 
 ### Added
 
@@ -21,6 +21,7 @@ Django Forms Workflows bridges the gap between simple form libraries (like Crisp
 - 🔄 **Cross-Instance Sync** — Push/pull form definitions between environments directly from the Django Admin.
 - 🔒 **Enterprise Security** — LDAP/AD & SSO authentication, RBAC with four permission tiers, complete audit trails.
 - 🌐 **REST API** — Opt-in Bearer-token API: list forms, fetch field schema, submit (or save draft), poll status. OpenAPI 3.0 schema + Swagger UI included.
+- 🖼️ **Embeddable Forms** — Embed forms on any website via a `<script>` tag or `<iframe>`. Auto-resize, theme/accent color support, postMessage callbacks. WordPress plugin included.
 - 💳 **Pluggable Payments** — Collect payments during form submission with a pluggable provider system. Stripe ships built-in; add custom providers via `register_provider()`.
 - 📋 **Shared Option Lists** — Define reusable choice lists once, reference from any form field. Update the list and every field reflects the change.
 - 🔗 **Dependent Workflows** — Workflows that start only after all other workflows on the form complete, enabling convergence gates after parallel tracks.
@@ -75,6 +76,17 @@ Spawn child workflow instances from a parent submission:
 
 See [Sub-Workflows Guide](docs/SUB_WORKFLOWS.md) for a full walkthrough.
 
+### 🖼️ Embeddable Forms
+Embed DFW forms on any external website:
+- Single `<script>` tag creates a responsive iframe with auto-resize via `postMessage`
+- Configurable theme (`light`/`dark`), accent color, min height
+- Callbacks: `data-on-submit`, `data-on-load` for parent page integration
+- WordPress plugin included (`[dfw_form]` shortcode + Gutenberg block)
+- Admin embed code panel with copy-to-clipboard snippets
+- Inline success state — no redirects, iframe stays self-contained
+
+See [Embedding Guide](docs/EMBEDDING.md).
+
 ### 💳 Payment Collection
 Collect payments as part of the form submission flow:
 - Pluggable provider architecture: `PaymentProvider` ABC, provider registry, `PaymentResult` dataclass
 
@@ -47,11 +47,22 @@
     var minHeight = parseInt(script.getAttribute('data-min-height')) || 300;
     var loadingText = script.getAttribute('data-loading-text') || 'Loading form...';
 
-    // Normalize server URL (remove trailing slash)
-    server = server.replace(/\/+$/, '');
+    // Validate server is a proper HTTP(S) URL to prevent script injection
+    var sanitisedServer;
+    try {
+        var parsedServer = new URL(server);
+        if (parsedServer.protocol !== 'https:' && parsedServer.protocol !== 'http:') {
+            console.error('[dfw-embed] data-server must be an http(s) URL');
+            return;
+        }
+        sanitisedServer = parsedServer.origin;
+    } catch (e) {
+        console.error('[dfw-embed] Invalid data-server URL:', e.message);
+        return;
+    }
 
-    // Build embed URL
-    var embedUrl = server + '/forms/' + encodeURIComponent(formSlug) + '/embed/';
+    // Build embed URL using validated origin
+    var embedUrl = sanitisedServer + '/forms/' + encodeURIComponent(formSlug) + '/embed/';
     var params = [];
     if (theme) params.push('theme=' + encodeURIComponent(theme));
     if (accentColor) params.push('accent_color=' + encodeURIComponent(accentColor));
@@ -90,15 +101,8 @@
         script.parentNode.insertBefore(container, script.nextSibling);
     }
 
-    // Parse the server origin for message validation
-    var serverOrigin;
-    try {
-        var a = document.createElement('a');
-        a.href = server;
-        serverOrigin = a.protocol + '//' + a.host;
-    } catch (e) {
-        serverOrigin = server;
-    }
+    // Use the already-validated origin for message validation
+    var serverOrigin = sanitisedServer;
 
     // Listen for postMessage events from the iframe
     window.addEventListener('message', function (event) {
 
@@ -89,6 +89,92 @@
             display: none;
             margin-top: 4px;
         }
+        /* Embed code panel */
+        .embed-code-panel {
+            background: #f8f9fa;
+            border: 1px solid #dee2e6;
+            border-radius: 8px;
+            padding: 20px;
+            margin: 20px 0;
+        }
+        .embed-code-panel h3 {
+            margin: 0 0 8px 0;
+            font-size: 14px;
+            color: #333;
+        }
+        .embed-code-panel .embed-warning {
+            background: #fff3cd;
+            border: 1px solid #ffc107;
+            border-radius: 4px;
+            padding: 8px 12px;
+            margin-bottom: 12px;
+            font-size: 13px;
+            color: #664d03;
+        }
+        .embed-code-tabs {
+            display: flex;
+            gap: 0;
+            border-bottom: 2px solid #dee2e6;
+            margin-bottom: 16px;
+        }
+        .embed-code-tab {
+            padding: 8px 16px;
+            border: none;
+            background: none;
+            font-size: 13px;
+            font-weight: 500;
+            color: #666;
+            cursor: pointer;
+            border-bottom: 2px solid transparent;
+            margin-bottom: -2px;
+        }
+        .embed-code-tab:hover {
+            color: #333;
+        }
+        .embed-code-tab.active {
+            color: #0d6efd;
+            border-bottom-color: #0d6efd;
+        }
+        .embed-code-content {
+            display: none;
+        }
+        .embed-code-content.active {
+            display: block;
+        }
+        .embed-code-content pre {
+            background: #1e1e1e;
+            color: #d4d4d4;
+            padding: 14px 16px;
+            border-radius: 6px;
+            font-size: 12px;
+            line-height: 1.5;
+            overflow-x: auto;
+            margin: 0 0 8px 0;
+            white-space: pre-wrap;
+            word-break: break-all;
+        }
+        .embed-code-content .embed-note {
+            font-size: 12px;
+            color: #666;
+            margin-top: 8px;
+        }
+        .embed-copy-btn {
+            padding: 6px 12px;
+            border: 1px solid #ccc;
+            border-radius: 4px;
+            background: #fff;
+            cursor: pointer;
+            font-size: 12px;
+        }
+        .embed-copy-btn:hover {
+            background: #f0f0f0;
+        }
+        .embed-copy-feedback {
+            font-size: 12px;
+            color: #28a745;
+            display: none;
+            margin-left: 8px;
+        }
     </style>
 {% endblock %}
 
@@ -140,23 +226,75 @@ <h3><i class="bi bi-qr-code"></i> Share Form via QR Code</h3>
             </div>
         </div>
     </div>
+    <div class="embed-code-panel">
+        <h3><i class="bi bi-code-slash"></i> Embed Code</h3>
+        <p style="font-size: 13px; color: #666; margin-bottom: 12px;">
+            Copy a code snippet to embed this form on any website.
+        </p>
+        {% if not original.embed_enabled %}
+        <div class="embed-warning">
+            <i class="bi bi-exclamation-triangle"></i>
+            Embedding is currently disabled for this form. Enable it in the "API &amp; Embedding" section above.
+        </div>
+        {% endif %}
+        <div class="embed-code-tabs">
+            <button type="button" class="embed-code-tab active" data-tab="js">JS Embed</button>
+            <button type="button" class="embed-code-tab" data-tab="iframe">iframe Fallback</button>
+            <button type="button" class="embed-code-tab" data-tab="wordpress">WordPress</button>
+        </div>
+
+        <div class="embed-code-content active" id="embed-tab-js">
+            <pre id="embed-snippet-js"></pre>
+            <button type="button" class="embed-copy-btn" data-target="embed-snippet-js">
+                <i class="bi bi-clipboard"></i> Copy to Clipboard
+            </button>
+            <span class="embed-copy-feedback">Copied!</span>
+            <p class="embed-note">
+                Best option for most websites. The form auto-resizes to fit its content.
+            </p>
+        </div>
+
+        <div class="embed-code-content" id="embed-tab-iframe">
+            <pre id="embed-snippet-iframe"></pre>
+            <button type="button" class="embed-copy-btn" data-target="embed-snippet-iframe">
+                <i class="bi bi-clipboard"></i> Copy to Clipboard
+            </button>
+            <span class="embed-copy-feedback">Copied!</span>
+            <p class="embed-note">
+                Use this if external scripts are restricted (e.g., WordPress.com). You may need to set a fixed height.
+            </p>
+        </div>
+
+        <div class="embed-code-content" id="embed-tab-wordpress">
+            <pre id="embed-snippet-wordpress"></pre>
+            <button type="button" class="embed-copy-btn" data-target="embed-snippet-wordpress">
+                <i class="bi bi-clipboard"></i> Copy to Clipboard
+            </button>
+            <span class="embed-copy-feedback">Copied!</span>
+            <p class="embed-note">
+                Requires the <strong>DFW Forms</strong> WordPress plugin. Configure the server URL under Settings &gt; DFW Forms.
+            </p>
+        </div>
+    </div>
+
     <script>
     document.addEventListener('DOMContentLoaded', function() {
         var qrUrl = '{% url "forms_workflows:form_qr_code" original.slug %}';
         var submitUrl = '{% url "forms_workflows:form_submit" original.slug %}';
+        var embedUrl = '{% url "forms_workflows:form_embed" original.slug %}';
         var absUrl = window.location.origin + submitUrl;
+        var absEmbedUrl = window.location.origin + embedUrl;
+        var absStaticBase = window.location.origin;
         var slug = '{{ original.slug }}';
 
-        // Set URL field
+        // -- QR code panel --
         document.getElementById('adminQrUrl').value = absUrl;
 
-        // Set download links
         document.getElementById('adminQrDownloadSvg').href = qrUrl + '?format=svg';
         document.getElementById('adminQrDownloadSvg').download = slug + '-qr.svg';
         document.getElementById('adminQrDownloadPng').href = qrUrl + '?format=png&size=12';
         document.getElementById('adminQrDownloadPng').download = slug + '-qr.png';
 
-        // Load QR preview
         var preview = document.getElementById('adminQrPreview');
         fetch(qrUrl + '?format=svg')
             .then(function(r) { return r.text(); })
@@ -172,14 +310,45 @@ <h3><i class="bi bi-qr-code"></i> Share Form via QR Code</h3>
                 preview.innerHTML = '<span style="color: #dc3545;">Failed to load QR code.<br>Is segno installed?</span>';
             });
 
-        // Copy button
         document.getElementById('adminQrCopyBtn').addEventListener('click', function() {
             navigator.clipboard.writeText(absUrl).then(function() {
                 var fb = document.getElementById('adminQrCopyFeedback');
                 fb.style.display = 'block';
                 setTimeout(function() { fb.style.display = 'none'; }, 2500);
             });
         });
+
+        // -- Embed code panel --
+        var jsSnippet = '<script src="' + absStaticBase + '/static/django_forms_workflows/js/dfw-embed.js"\n  data-form="' + slug + '"\n  data-server="' + absStaticBase + '"\n><\/script>';
+        var iframeSnippet = '<iframe src="' + absEmbedUrl + '"\n  style="width:100%;border:none;min-height:500px;"\n  title="Form: ' + slug + '"\n  loading="lazy"\n  allowtransparency="true"\n></iframe>';
+        var wpSnippet = '[dfw_form slug="' + slug + '"]';
+
+        document.getElementById('embed-snippet-js').textContent = jsSnippet;
+        document.getElementById('embed-snippet-iframe').textContent = iframeSnippet;
+        document.getElementById('embed-snippet-wordpress').textContent = wpSnippet;
+
+        // Tab switching
+        document.querySelectorAll('.embed-code-tab').forEach(function(tab) {
+            tab.addEventListener('click', function() {
+                document.querySelectorAll('.embed-code-tab').forEach(function(t) { t.classList.remove('active'); });
+                document.querySelectorAll('.embed-code-content').forEach(function(c) { c.classList.remove('active'); });
+                tab.classList.add('active');
+                document.getElementById('embed-tab-' + tab.getAttribute('data-tab')).classList.add('active');
+            });
+        });
+
+        // Copy buttons
+        document.querySelectorAll('.embed-copy-btn').forEach(function(btn) {
+            btn.addEventListener('click', function() {
+                var targetId = btn.getAttribute('data-target');
+                var text = document.getElementById(targetId).textContent;
+                navigator.clipboard.writeText(text).then(function() {
+                    var fb = btn.nextElementSibling;
+                    fb.style.display = 'inline';
+                    setTimeout(function() { fb.style.display = 'none'; }, 2500);
+                });
+            });
+        });
     });
     </script>
     {% endif %}