漏洞
When a URL encoded ampersand (&) is in an embed code, the embedded content does not load in the ArcGIS Experience Builder Embed widget.
| 漏洞 ID 编号 | BUG-000171016 |
|---|---|
| 已提交 | September 25, 2024 |
| 上次修改时间 | August 20, 2025 |
| 适用范围 | ArcGIS Online |
| 找到的版本 | June 2024 |
| 操作系统 | Windows OS |
| 操作系统版本 | 10.0 64 Bit |
| 状态 | Will Not Be Addressed |
附加信息
Per investigation, this issue is from SharePoint (probably in their Nov 23 security update) and it is not from Experience Builder. - SharePoint has the Cross-origin resource sharing (CORS) policy and it does not support "'&'action=xxx" inside the URL anymore (it did before). If the same src is used inside a simple HTML iframe, and is put in a cross-domain server, the same behavior occurs. - YouTube does not have the Cross-origin resource sharing (CORS) policy and it still supports "'&'key=xxx" in a SRC. So their embed code works fine, e.g.:"". Thus, unfortunately, this is not a bug from Experience Builder, and cannot be fixed.解决办法
Remove & from the embed code.
Example:
<iframe src="https://___-my.sharepoint.com/personal/<userID>/_layouts/15/Doc.aspx?sourcedoc=%7B____________%7D&action=embedview&wdAr=1.7777777777777777" width="476px" height="288px">This is an embedded</iframe>
The altered code looks like the one below.
<iframe src="https://___-my.sharepoint.com/personal/<userID>/_layouts/15/Doc.aspx?sourcedoc=%7B__________%7D&action=embedview&wdAr=1.7777777777777777" width="476px" height="288px">This is an embedded</iframe>
重现步骤
漏洞 ID: BUG-000171016
软件:
- ArcGIS Online
当漏洞状态发生变化时获得通知
发现关于本主题的更多内容
搜索相关信息
查找与此主题相关的培训
探索想法并提供反馈
获取来自 ArcGIS 专家的帮助
下载 Esri 支持应用程序