open-design/apps/web/tests/components/PreviewModal.test.tsx

import { renderToStaticMarkup } from 'react-dom/server';
import { describe, expect, it } from 'vitest';

import { PreviewModal } from '../../src/components/PreviewModal';

describe('PreviewModal sandbox isolation', () => {
  it('renders generated previews without same-origin sandbox access', () => {
    const markup = renderToStaticMarkup(
      <PreviewModal
        title="Unsafe preview"
        views={[
          {
            id: 'preview',
            label: 'Preview',
            html: '<script>window.parent.document.body.innerHTML="owned"</script>',
          },
        ]}
        exportTitleFor={() => 'unsafe-preview'}
        onClose={() => {}}
      />,
    );

    expect(markup).toContain('sandbox="allow-scripts"');
    expect(markup).not.toContain('allow-same-origin');
    expect(markup).toContain('srcDoc=');
  });

  it('keeps deck srcdoc handling for deck preview views', () => {
    const markup = renderToStaticMarkup(
      <PreviewModal
        title="Deck preview"
        views={[
          {
            id: 'deck',
            label: 'Deck',
            html: '<section class="slide">one</section><section class="slide">two</section>',
            deck: true,
          },
        ]}
        exportTitleFor={() => 'deck-preview'}
        onClose={() => {}}
      />,
    );

    expect(markup).toContain('sandbox="allow-scripts"');
    expect(markup).not.toContain('allow-same-origin');
    expect(markup).toContain('od:slide');
  });
});
Initial import: open-design source for helix-mind.ai distribution This repository contains the open-design daemon CLI source code, built and packaged at https://helix-mind.ai/cli/open-design/latest.tgz for use by the HelixMind /design slash command. Licenses: Apache-2.0 (root) + MIT (skills/*) 2026-05-06 20:50:24 +02:00			`import { renderToStaticMarkup } from 'react-dom/server';`
			`import { describe, expect, it } from 'vitest';`

			`import { PreviewModal } from '../../src/components/PreviewModal';`

			`describe('PreviewModal sandbox isolation', () => {`
			`it('renders generated previews without same-origin sandbox access', () => {`
			`const markup = renderToStaticMarkup(`
			`<PreviewModal`
			`title="Unsafe preview"`
			`views={[`
			`{`
			`id: 'preview',`
			`label: 'Preview',`
			`html: '<script>window.parent.document.body.innerHTML="owned"</script>',`
			`},`
			`]}`
			`exportTitleFor={() => 'unsafe-preview'}`
			`onClose={() => {}}`
			`/>,`
			`);`

			`expect(markup).toContain('sandbox="allow-scripts"');`
			`expect(markup).not.toContain('allow-same-origin');`
			`expect(markup).toContain('srcDoc=');`
			`});`

			`it('keeps deck srcdoc handling for deck preview views', () => {`
			`const markup = renderToStaticMarkup(`
			`<PreviewModal`
			`title="Deck preview"`
			`views={[`
			`{`
			`id: 'deck',`
			`label: 'Deck',`
			`html: '<section class="slide">one</section><section class="slide">two</section>',`
			`deck: true,`
			`},`
			`]}`
			`exportTitleFor={() => 'deck-preview'}`
			`onClose={() => {}}`
			`/>,`
			`);`

			`expect(markup).toContain('sandbox="allow-scripts"');`
			`expect(markup).not.toContain('allow-same-origin');`
			`expect(markup).toContain('od:slide');`
			`});`
			`});`