From b2e71d9580c8ae8c14066f5beafca23f29c20974 Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Fri, 19 Nov 2021 11:38:14 +0100
Subject: [PATCH] Add sandbox attribute to the secureiframe

---
 www/common/sframe-common-file.js | 1 +
 www/secureiframe/main.js         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/common/sframe-common-file.js b/www/common/sframe-common-file.js
index 9474b132b..582d41c59 100644
--- a/www/common/sframe-common-file.js
+++ b/www/common/sframe-common-file.js
@@ -517,6 +517,7 @@ define([
                         if (!thumb64) { return; }
                         thumb = thumb64;
                     }));
+                    if (file.type === "application/pdf") { return; }
                     MT.preview(buffer, {
                         type: file.type,
                     }, void 0, w(function (err, el) {
diff --git a/www/secureiframe/main.js b/www/secureiframe/main.js
index e1a95dfe8..6a43f3a02 100644
--- a/www/secureiframe/main.js
+++ b/www/secureiframe/main.js
@@ -28,7 +28,7 @@ define([
             };
             window.rc = requireConfig;
             window.apiconf = ApiConfig;
-            $('#sbox-secure-iframe').attr('src',
+            $('#sbox-secure-iframe').attr('sandbox', 'allow-scripts allow-popups allow-modals').attr('src',
                 ApiConfig.httpSafeOrigin + '/secureiframe/inner.html?' + requireConfig.urlArgs +
                     '#' + encodeURIComponent(JSON.stringify(req)));