Rules Hub
Coding Rules Library
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
Add a sandbox attribute to iframes with untrusted sources
When an iframe's src is external or user-influenced, set a sandbox attribute (and lazy-load) to contain it, re-enabling only the specific capabilities required.
Bad example
| 1 | <iframe |
| 2 | src={data.iframeUrl} |
| 3 | title={data.name} |
| 4 | className="h-[1000px] w-full" |
| 5 | /> |
Explanation (EN)
With no sandbox, the embedded page runs scripts, top-level navigation, popups, and form submissions with full privileges, widening the attack surface.
Objašnjenje (HR)
Bez sandboxa, ugradena stranica izvrsava skripte, navigaciju na vrhu, skocne prozore i slanje formi s punim ovlastima, sirevci povrsinu napada.
Good example
| 1 | <iframe |
| 2 | src={data.iframeUrl} |
| 3 | title={data.name} |
| 4 | className="h-[1000px] w-full" |
| 5 | sandbox="allow-scripts allow-same-origin" |
| 6 | loading="lazy" |
| 7 | /> |
Explanation (EN)
The sandbox attribute strips dangerous defaults and only the explicitly listed capabilities are granted; loading=lazy avoids blocking initial render.
Objašnjenje (HR)
Sandbox atribut uklanja opasne zadane vrijednosti i daje samo izricito navedene mogucnosti; loading=lazy izbjegava blokiranje pocetnog rendera.
Exceptions / Tradeoffs (EN)
A first-party iframe pointing at fully trusted same-origin content you control may not need sandboxing; weigh the functionality you'd have to re-grant.
Iznimke / Tradeoffi (HR)
Iframe prve strane koji pokazuje na potpuno pouzdan sadrzaj istog izvora koji kontroliras mozda ne treba sandbox; odvagni funkcionalnost koju bi morao ponovo dodijeliti.