Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.

maps/tests/Metadata/customMenu.json

@@ -54,7 +54,7 @@
         {
           "name":"openWebsite",
           "type":"string",
-          "value":"customMenu.html"
+          "value":"customMenu.php"
         },
         {
           "name":"openWebsiteAllowApi",
@@ -97,4 +97,4 @@
   "type":"map",
   "version":"1.6",
   "width":10
-}
+}