Skip to content

Commit b7819d0

Browse files
committed
fix(emailPreview): open in-body links in a new tab via injected <base>
Clicking the "Download your files" link (or the link-text link) inside the preview iframe tried to navigate the iframe itself. The sandbox deliberately omits `allow-top-navigation`, so the navigation was blocked and the iframe blanked out — leaving the modal open with an empty body. Splice `<base target="_blank" rel="noopener">` into the rendered email's `<head>` (or prepend it if the template ever stops having one) before handing the HTML to `srcdoc`. Anchors then open in a new top-level tab, which the existing `allow-popups` / `allow-popups-to-escape-sandbox` flags already permit. No cryptify change needed — the real email never needed `target="_blank"`, only the preview surface does.
1 parent d2cba06 commit b7819d0

1 file changed

Lines changed: 19 additions & 1 deletion

File tree

src/lib/components/filesharing/EmailPreviewModal.svelte

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,24 @@
8383
function handleKey(e: KeyboardEvent) {
8484
if (e.key === 'Escape') onClose()
8585
}
86+
87+
/** Inject `<base target="_blank">` into the rendered email HTML so
88+
* anchor clicks open in a new top-level tab instead of trying to
89+
* navigate the sandboxed iframe (which has no `allow-top-navigation`
90+
* and would otherwise blank the body). The `allow-popups` /
91+
* `allow-popups-to-escape-sandbox` flags already permit the new
92+
* tab. We try to splice into an existing `<head>`; if cryptify ever
93+
* changes the template shape, the prepended fallback still works
94+
* because browsers tolerate a `<base>` before `<html>`. */
95+
function withBaseTarget(html: string): string {
96+
const tag = '<base target="_blank" rel="noopener">'
97+
const headIdx = html.search(/<head[^>]*>/i)
98+
if (headIdx >= 0) {
99+
const end = html.indexOf('>', headIdx) + 1
100+
return html.slice(0, end) + tag + html.slice(end)
101+
}
102+
return tag + html
103+
}
86104
</script>
87105

88106
<svelte:window onkeydown={handleKey} />
@@ -185,7 +203,7 @@
185203
<iframe
186204
class="email-frame"
187205
title={$_('filesharing.emailPreview.iframeTitle')}
188-
srcdoc={active.html}
206+
srcdoc={withBaseTarget(active.html)}
189207
sandbox="allow-popups allow-popups-to-escape-sandbox"
190208
></iframe>
191209
{/if}

0 commit comments

Comments
 (0)