issue-6: sandbox content generated

[toan-nsc]

Closes #6

Summary by CodeRabbit

• New Features

  • HTML content is sanitized before display and rendered inside a sandboxed iframe for safer inline previews.
  • Server-side sanitization is applied to HTML found in metadata to reduce unsafe content exposure.
  • Inline preview no longer exposes a direct "Download HTML" button; download still available via separate open-in-new-tab path.

• Style

  • Added styling for the HTML content preview container with scrollable area, border, and responsive iframe.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Server- and client-side HTML sanitization were added: a Go HTMLSanitizer using bluemonday sanitizes RO-Crate metadata on the server, and client-side sanitization plus sandboxed iframes render HTML previews in the browser.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Added direct dependency github.com/microcosm-cc/bluemonday v1.0.27; added indirect dependencies github.com/aymerick/douceur v0.2.0, github.com/gorilla/css v1.0.1, golang.org/x/net v0.38.0.
Backend HTML Sanitization src/content_sandbox.go	New HTMLSanitizer type, NewHTMLSanitizer() constructor, Sanitize(html string) string, and SanitizeRoCrateMetadata(metadata map[string]interface{}) map[string]interface() to clean HTML in RO-Crate @graph entries.
Frontend Rendering & Security src/index.js	Added sanitizeHTML() client-side sanitizer; refactored HTML preview rendering to insert a sanitized complete document into a sandboxed iframe via srcdoc (removed inline base64 blob/download preview path).
Preview Container Styling src/main.css	Added .html-content-preview and .html-content-preview .user-content-container styles (full width, max-height 600px, overflow auto, border, background) and iframe styling (full width, min-height 200px, no border).
Tests src/content_sandbox_test.go	New unit tests covering encoding format normalization and HTMLSanitizer behavior: Sanitize and SanitizeRoCrateMetadata test cases for stripping scripts, event handlers, unsafe URLs, and preserving safe HTML.

Sequence Diagram(s)

sequenceDiagram
    participant User as User (Browser)
    participant Client as Client JS
    participant Server as Server (Go)
    participant Sanitizer as HTMLSanitizer
    participant IFrame as Sandboxed IFrame

    User->>Server: Request RO-Crate JSON
    Server->>Sanitizer: SanitizeRoCrateMetadata(metadata)
    Sanitizer->>Sanitizer: Walk `@graph`, locate encodingFormat="text/html"
    Sanitizer->>Sanitizer: Sanitize HTML fields (text/description/content)
    Sanitizer-->>Server: Return sanitized metadata
    Server-->>Client: Send sanitized RO-Crate

    Client->>Client: Extract HTML content
    Client->>Client: sanitizeHTML() (client-side)
    Client->>IFrame: Insert sanitized document via srcdoc into sandboxed iframe
    IFrame-->>User: Render isolated, sanitized content

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 With nimble paws I trim the mess,
I scrub the markup, tame the stress.
Bluemonday cleans, the iframe guards,
Safe previews hopping through the yard.
A little rabbit’s gentle cheer—safe HTML is here!

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Free

📥 Commits

Reviewing files that changed from the base of the PR and between 500bc6a and 242180b.

📒 Files selected for processing (2)

• src/content_sandbox.go
• src/content_sandbox_test.go

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[NicolasCARPi]

I suggest always sanitize, don't rely on user defined encodingFormat value.

[NicolasCARPi]

Thanks!