Skip to content

feat(web): preview .html refs in sandboxed iframe#59

Merged
SymbolStar merged 1 commit into
mainfrom
judy/html-preview
Jun 3, 2026
Merged

feat(web): preview .html refs in sandboxed iframe#59
SymbolStar merged 1 commit into
mainfrom
judy/html-preview

Conversation

@SymbolStar

Copy link
Copy Markdown
Owner

问题: thread 里点开 .html ref(如 dora 的设计稿)会显示转义后的源码,不能直接 review。

根因: web/app.jsselectRef() 里只处理了 image / markdown / json,其它统统走 <pre>escapeHtml(text)</pre>,HTML 因此被当文本贴出来。

修法: 加一个分支,对 text/html 或 .html/.htm/.xhtml 后缀的 ref 用 iframe + srcdoc + sandbox="" 渲染。

沙箱: 空字符串 sandbox = 最严格(无脚本、无 form 提交、无 top-nav、视为另一个 origin),design mock 完全够用,也防御 ref 里塞恶意脚本。后续若有真要执行 JS 的内部页面再做白名单开关。

Scope: 纯前端 11 行,server 端 mime 已经允许 text/* 不用动。

Previously .html refs fell through to the text/<pre> branch and showed
escaped source code instead of a rendered page (designer mock html
opened from a thread was unreadable).

Add a dedicated branch in selectRef() that renders text/html (or any
ref whose label ends in .html/.htm/.xhtml) via an iframe with
`srcdoc` + `sandbox=""` (strictest: no scripts, forms, top-nav,
same-origin). Safe for designer mocks; intentional executable html
still needs an opt-in later.
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

🤖 bot-review (comment-only · phase 1)

Diff: 1 file changed, 11 insertions(+) @ dd92a1e

Red-line checks:

  • ✅ A-7.5: no new 'forbidden' code in xiaof

Phase 1: this bot leaves comments only. Auto-approve will be enabled per-path after 1–2 weeks of clean runs. Promotion plan: judy PR #42 follow-up.

@SymbolStar SymbolStar merged commit 0272468 into main Jun 3, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant