Fix sandbox links

marksteward · marksteward · commit efc0dc68de83 · 2026-03-24T22:45:24.000Z
diff --git a/apps/villages/views.py b/apps/villages/views.py
@@ -103,7 +103,7 @@ def render_markdown(markdown_text: str) -> Markup:
         link_rel="noopener nofollow",  # default includes noreferrer but not nofollow
     )
     inner_html = render_template("sandboxed-iframe.html", body=Markup(content_html))
-    iFrame_html = f'<iframe sandbox="allow-scripts" class="embedded-content" srcdoc="{html.escape(inner_html, True)}"></iframe>'
+    iFrame_html = f'<iframe sandbox="allow-scripts allow-top-navigation-by-user-activation" class="embedded-content" srcdoc="{html.escape(inner_html, True)}"></iframe>'
     return Markup(iFrame_html)
 
 
diff --git a/templates/sandboxed-iframe.html b/templates/sandboxed-iframe.html
@@ -4,6 +4,7 @@
 <html lang="en" style="background-color: transparent; margin: 0; padding: 0">
     <head>
         <meta charset="UTF-8">
+        <base target="_top">
         {% block css -%}
         <link rel="stylesheet" href="{{ static_url_for('static', filename="css/main.css") }}">
         {% endblock -%}

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ def render_markdown(markdown_text: str) -> Markup:`
`103`	`103`	`link_rel="noopener nofollow", # default includes noreferrer but not nofollow`
`104`	`104`	`)`
`105`	`105`	`inner_html = render_template("sandboxed-iframe.html", body=Markup(content_html))`
`106`		`- iFrame_html = f'<iframe sandbox="allow-scripts" class="embedded-content" srcdoc="{html.escape(inner_html, True)}"></iframe>'`
	`106`	`+ iFrame_html = f'<iframe sandbox="allow-scripts allow-top-navigation-by-user-activation" class="embedded-content" srcdoc="{html.escape(inner_html, True)}"></iframe>'`
`107`	`107`	`return Markup(iFrame_html)`
`108`	`108`
`109`	`109`