Sonarly Claude Code dd67109594 fix(front-component-renderer): use permissive sandbox default for iframe instead of force-overriding ... https://sonarly.com/issue/29143?type=bug Custom front components that render iframes get a force-applied `sandbox=""` attribute (most restrictive possible), overriding any developer-supplied sandbox value and blocking JavaScript, forms, popups, and same-origin access inside the iframe. Fix: Changed `createHtmlHostWrapper.ts` with two fixes: 1. **Changed sandbox default value from `''` to `'allow-scripts allow-forms allow-popups'`** — The empty string `sandbox=""` is the most restrictive possible value per HTML spec (blocks all scripts, forms, popups, same-origin access). The new default allows JavaScript execution, form submission, and popups — which are required for any non-trivial iframe embedding (analytics dashboards, OAuth flows, payment widgets). `allow-same-origin` is intentionally excluded from the default to prevent third-party front components from accessing the host application's cookies/storage, maintaining the security boundary. 2. **Reversed the spread order from `{...filterProps(props), ...forcedProps}` to `{...defaultProps, ...filterProps(props)}`** — Previously, forced props were spread last, silently overriding any developer-supplied `sandbox` attribute. Now default props are spread first, so app developers can explicitly set their own sandbox value when needed (e.g., `sandbox="allow-scripts allow-same-origin"` for trusted same-origin content). This follows the standard React "defaults with overrides" pattern. The constant was renamed from `FORCED_PROPS_BY_TAG` to `DEFAULT_PROPS_BY_TAG` and the local variable from `forcedProps` to `defaultProps` to accurately reflect the new semantics.		2026-04-20 20:52:16 +00:00
..
create-twenty-app	Bump twenty-sdk, twenty-client-sdk, create-twenty-app to 1.23.0-canary.9 (#19883)	2026-04-20 13:21:00 +00:00
twenty-apps	perf(sdk): split twenty-sdk barrel into per-purpose subpaths to cut logic-function bundle ~700x (#19834)	2026-04-18 19:38:34 +02:00
twenty-cli	1774 extensibility v1 create an exhaustive documentation readme or dedicated section in twenty contributing doc (#16751)	2025-12-22 15:19:11 +01:00
twenty-client-sdk	Bump twenty-sdk, twenty-client-sdk, create-twenty-app to 1.23.0-canary.9 (#19883)	2026-04-20 13:21:00 +00:00
twenty-companion	Migrate twenty-companion from npm to yarn workspaces (#18946)	2026-03-25 10:45:43 +01:00
twenty-docker	Add twenty-managed Docker target with AWS CLI for EKS deployments (#19816)	2026-04-17 17:54:10 +00:00
twenty-docs	i18n - docs translations (#19880)	2026-04-20 12:51:54 +02:00
twenty-e2e-testing	shouldIncludeRecordPageLayouts deprecation (#19774)	2026-04-17 11:32:10 +00:00
twenty-emails	i18n - translations (#18956)	2026-03-25 14:23:30 +01:00
twenty-front	i18n - translations (#19893)	2026-04-20 19:45:24 +02:00
twenty-front-component-renderer	fix(front-component-renderer): use permissive sandbox default for iframe instead of force-overriding	2026-04-20 20:52:16 +00:00
twenty-oxlint-rules	add workspaceId to indirect entities (#19522)	2026-04-09 19:30:28 +00:00
twenty-sdk	Bump twenty-sdk, twenty-client-sdk, create-twenty-app to 1.23.0-canary.9 (#19883)	2026-04-20 13:21:00 +00:00
twenty-server	fix(server): scope loadingMessage wrap/strip to AI-chat callers (#19896)	2026-04-20 21:43:16 +02:00
twenty-shared	feat(sdk): support viewSorts in app manifests (#19881)	2026-04-20 14:31:06 +02:00
twenty-ui	fix(ui): make CardPicker hover cover the whole card and align content left (#19884)	2026-04-20 17:00:12 +02:00
twenty-utils	Refactor dependency graph for SDK, client-sdk and create-app (#18963)	2026-03-26 10:56:52 +00:00
twenty-website	Add AI as a public feature flag in the Lab (#19277)	2026-04-02 15:56:27 +00:00
twenty-website-new	[Website] Self-host billing migration and some responsiveness fixes. (#19894)	2026-04-20 21:23:54 +02:00
twenty-zapier	Deprecate legacy RICH_TEXT field metadata type (#18623)	2026-03-13 17:25:40 +01:00