From cdbd1ff4ded52a588d837c3b2cb04fe6168ed51f Mon Sep 17 00:00:00 2001
From: Hufe921 <huangyunfeihufe@hotmail.com>
Date: Thu, 18 Apr 2024 21:43:56 +0800
Subject: [PATCH] feat: add security rules to IFrameBlock element

---
 .../particle/block/modules/IFrameBlock.ts     | 23 ++++++++++++++-----
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/editor/core/draw/particle/block/modules/IFrameBlock.ts b/src/editor/core/draw/particle/block/modules/IFrameBlock.ts
index c5c90aa..774f267 100644
--- a/src/editor/core/draw/particle/block/modules/IFrameBlock.ts
+++ b/src/editor/core/draw/particle/block/modules/IFrameBlock.ts
@@ -1,21 +1,30 @@
 import { IRowElement } from '../../../../../interface/Row'
 
 export class IFrameBlock {
-  private static readonly sandbox = [
-    'allow-forms',
-    'allow-scripts',
-    'allow-same-origin',
-    'allow-popups'
-  ]
+  private static readonly sandbox = ['allow-scripts', 'allow-same-origin']
   private element: IRowElement
 
   constructor(element: IRowElement) {
     this.element = element
   }
 
+  private _defineIframeProperties(iframeWindow: Window) {
+    Object.defineProperties(iframeWindow, {
+      // 禁止获取parent避免安全漏洞
+      parent: {
+        get: () => null
+      },
+      // 用于区分上下文
+      __POWERED_BY_CANVAS_EDITOR__: {
+        get: () => true
+      }
+    })
+  }
+
   public render(blockItemContainer: HTMLDivElement) {
     const block = this.element.block!
     const iframe = document.createElement('iframe')
+    iframe.setAttribute('data-id', this.element.id!)
     iframe.sandbox.add(...IFrameBlock.sandbox)
     iframe.style.border = 'none'
     iframe.style.width = '100%'
@@ -26,5 +35,7 @@ export class IFrameBlock {
       iframe.srcdoc = block.iframeBlock.srcdoc
     }
     blockItemContainer.append(iframe)
+    // 重新定义iframe上属性
+    this._defineIframeProperties(iframe.contentWindow!)
   }
 }