dd67109594
https://sonarly.com/issue/29143?type=bug Custom front components that render iframes get a force-applied `sandbox=""` attribute (most restrictive possible), overriding any developer-supplied sandbox value and blocking JavaScript, forms, popups, and same-origin access inside the iframe. Fix: Changed `createHtmlHostWrapper.ts` with two fixes: 1. **Changed sandbox default value from `''` to `'allow-scripts allow-forms allow-popups'`** — The empty string `sandbox=""` is the most restrictive possible value per HTML spec (blocks all scripts, forms, popups, same-origin access). The new default allows JavaScript execution, form submission, and popups — which are required for any non-trivial iframe embedding (analytics dashboards, OAuth flows, payment widgets). `allow-same-origin` is intentionally excluded from the default to prevent third-party front components from accessing the host application's cookies/storage, maintaining the security boundary. 2. **Reversed the spread order from `{...filterProps(props), ...forcedProps}` to `{...defaultProps, ...filterProps(props)}`** — Previously, forced props were spread last, silently overriding any developer-supplied `sandbox` attribute. Now default props are spread first, so app developers can explicitly set their own sandbox value when needed (e.g., `sandbox="allow-scripts allow-same-origin"` for trusted same-origin content). This follows the standard React "defaults with overrides" pattern. The constant was renamed from `FORCED_PROPS_BY_TAG` to `DEFAULT_PROPS_BY_TAG` and the local variable from `forcedProps` to `defaultProps` to accurately reflect the new semantics. |
||
|---|---|---|
| .claude-pr | ||
| .cursor | ||
| .github | ||
| .vscode | ||
| .yarn | ||
| packages | ||
| .dockerignore | ||
| .gitattributes | ||
| .gitignore | ||
| .mcp.json | ||
| .nvmrc | ||
| .yarnrc.yml | ||
| CLAUDE.md | ||
| jest.preset.js | ||
| LICENSE | ||
| nx.json | ||
| package.json | ||
| README.md | ||
| tsconfig.base.json | ||
| yarn.config.cjs | ||
| yarn.lock | ||
The #1 Open-Source CRM
🌐 Website · 📚 Documentation · 
Roadmap · 
Discord · 
Figma
Installation
See: 🚀 Self-hosting 🖥️ Local Setup
Why Twenty
We built Twenty for three reasons:
CRMs are too expensive, and users are trapped. Companies use locked-in customer data to hike prices. It shouldn't be that way.
A fresh start is required to build a better experience. We can learn from past mistakes and craft a cohesive experience inspired by new UX patterns from tools like Notion, Airtable or Linear.
We believe in open-source and community. Hundreds of developers are already building Twenty together. Once we have plugin capabilities, a whole ecosystem will grow around it.
What You Can Do With Twenty
Please feel free to flag any specific needs you have by creating an issue.
Below are a few features we have implemented to date:
- Personalize layouts with filters, sort, group by, kanban and table views
- Customize your objects and fields
- Create and manage permissions with custom roles
- Automate workflow with triggers and actions
- Emails, calendar events, files, and more
Personalize layouts with filters, sort, group by, kanban and table views
Customize your objects and fields
Create and manage permissions with custom roles
Automate workflow with triggers and actions
Emails, calendar events, files, and more
Stack
- TypeScript
- Nx
- NestJS, with BullMQ, PostgreSQL, Redis
- React, with Jotai, Linaria and Lingui
Thanks
Thanks to these amazing services that we use and recommend for UI testing (Chromatic), code review (Greptile), catching bugs (Sentry) and translating (Crowdin).
Join the Community
- Star the repo
- Subscribe to releases (watch -> custom -> releases)
- Follow us on Twitter or LinkedIn
- Join our Discord
- Improve translations on Crowdin
- Contributions are, of course, most welcome!