custom-html widget iframe allow fix (#1698)

Author: JMach1

src/components/custom-html/ko/customHtmlView.html

@@ -1,4 +1,3 @@
-<iframe data-bind="attr: { srcdoc: htmlCode }, styled: styles"
-    sandbox="allow-scripts allow-modals allow-forms"
+<iframe data-bind="attr: { srcdoc: htmlCode, sandbox: iframeSandboxAllows }, styled: styles"
     frameborder="0"
 ></iframe>

src/components/custom-html/ko/customHtmlViewModel.ts

@@ -3,6 +3,7 @@ import template from "./customHtmlView.html";
 import { widgetSelector } from "../constants";
 import { Component } from "@paperbits/common/ko/decorators";
 import { StyleModel } from "@paperbits/common/styles";
+import { iframeSandboxAllows } from "../../../constants";
 
 @Component({
     selector: widgetSelector,
@@ -11,6 +12,7 @@ import { StyleModel } from "@paperbits/common/styles";
 export class CustomHtmlViewModel {
     public readonly styles: ko.Observable<StyleModel>;
     public readonly htmlCode: ko.Observable<string>;
+    public readonly iframeSandboxAllows: string = iframeSandboxAllows;
 
     constructor() {
         this.htmlCode = ko.observable();

src/constants.ts

@@ -267,3 +267,8 @@ export const genericHttpRequestError = "Server error. Unable to send request. Pl
 
 export const oauthSessionKey = "oauthSession";
 export const reservedCharTuplesForOData: [string, string][] = [["'", "''"]];
+
+/**
+ * List of allowed attributes for a sandboxed iframe.
+ */
+export const iframeSandboxAllows = "allow-scripts allow-modals allow-forms allow-downloads allow-popups-to-escape-sandbox allow-top-navigation allow-presentation allow-orientation-lock allow-pointer-lock";