From 5f386edba4701e280e5357218ce4e1d7412dd8b6 Mon Sep 17 00:00:00 2001
From: Matthew Trew <matthew.trew@raspberrypi.org>
Date: Fri, 27 Mar 2026 11:23:19 +0000
Subject: [PATCH 1/5] Create new preview renderer + build config This moves
 preview rendering to an iframe with a document loaded cross-origin as a
 source. This enforces cross-origin separation and gives the preview window
 it's own localstorage, isolated from the parent.

Content is injected into the doc via `postMessage`.
---
 .env.example                                  |   3 +-
 .gitignore                                    |   2 +
 package.json                                  |   1 +
 public/index-html-renderer.html               |  15 ++
 .../Runners/HtmlRunner/HtmlRenderer.jsx       | 172 ++++++++++++++
 .../Editor/Runners/HtmlRunner/HtmlRunner.jsx  | 218 +-----------------
 src/html-renderer.jsx                         |  11 +
 webpack.html-renderer.config.js               |  99 ++++++++
 8 files changed, 314 insertions(+), 207 deletions(-)
 create mode 100644 public/index-html-renderer.html
 create mode 100644 src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
 create mode 100644 src/html-renderer.jsx
 create mode 100644 webpack.html-renderer.config.js

diff --git a/.env.example b/.env.example
index 3bc11dc83..5744a3957 100644
--- a/.env.example
+++ b/.env.example
@@ -3,8 +3,9 @@ REACT_APP_SENTRY_DSN=''
 REACT_APP_SENTRY_ENV='local'
 PUBLIC_URL='http://localhost:3011'
 ASSETS_URL='http://localhost:3011'
+HTML_RENDERER_URL='http://localhost:3003'
 REACT_APP_GOOGLE_TAG_MANAGER_ID=''
 REACT_APP_API_ENDPOINT='http://localhost:3009'
 REACT_APP_PLAUSIBLE_DATA_DOMAIN=''
 REACT_APP_PLAUSIBLE_SOURCE=''
-REACT_APP_ALLOWED_IFRAME_ORIGINS='http://localhost:3011,http://localhost:3012'
\ No newline at end of file
+REACT_APP_ALLOWED_IFRAME_ORIGINS='http://localhost:3011,http://localhost:3012'
diff --git a/.gitignore b/.gitignore
index 56ae9ffea..e6cd150ab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,7 @@ node_modules
 
 # production
 /build
+/build-html-renderer
 /public/storybook
 
 # misc
@@ -33,3 +34,4 @@ yarn-error.log*
 .yarn/install-state.gz
 
 .vscode/settings.json
+.idea/*
diff --git a/package.json b/package.json
index 8ccb2d281..fdaeeab5d 100644
--- a/package.json
+++ b/package.json
@@ -85,6 +85,7 @@
   },
   "scripts": {
     "start": "NODE_ENV=development BABEL_ENV=development webpack serve -c ./webpack.config.js",
+    "start-html-renderer": "NODE_ENV=development BABEL_ENV=development webpack serve -c ./webpack.html-renderer.config.js",
     "build": "NODE_ENV=production BABEL_ENV=production webpack build -c ./webpack.config.js",
     "analyze": "ANALYZE_WEBPACK_BUNDLE=true yarn build",
     "lint": "eslint 'src/**/*.{js,jsx}' cypress/**/*.js",
diff --git a/public/index-html-renderer.html b/public/index-html-renderer.html
new file mode 100644
index 000000000..2f66c6e74
--- /dev/null
+++ b/public/index-html-renderer.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<style>
+</style>
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width" />
+  <link rel="icon" href="data:," />
+  <title>Editor HTML preview</title>
+</head>
+<body>
+<div id="root">
+</div>
+</body>
+</html>
diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
new file mode 100644
index 000000000..23f63891d
--- /dev/null
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
@@ -0,0 +1,172 @@
+import React, { useCallback, useEffect, useState } from "react";
+import { parse } from "node-html-parser";
+import mimeTypes from "mime-types";
+import {
+  allowedExternalLinks,
+  allowedInternalLinks,
+  matchingRegexes,
+} from "../../../../utils/externalLinkHelper";
+import "../../../../assets/stylesheets/HtmlRunner.scss";
+
+const parentTag = (node, tag) =>
+  node.parentNode?.tagName && node.parentNode.tagName.toLowerCase() === tag;
+
+const cssProjectImgs = (projectFile, projectMedia) => {
+  let updatedProjectFile = { ...projectFile };
+  if (projectFile.extension === "css") {
+    projectMedia.forEach((media_file) => {
+      const find = new RegExp(`['"]${media_file.filename}['"]`, "g"); // prevent substring matches
+      const replace = `"${media_file.url}"`;
+      updatedProjectFile.content = updatedProjectFile.content.replaceAll(
+        find,
+        replace,
+      );
+    });
+  }
+  return updatedProjectFile;
+};
+
+const getBlobURL = (code, type) => {
+  const blob = new Blob([code], { type });
+  return URL.createObjectURL(blob);
+};
+
+const replaceHrefNodes = (indexPage, projectMedia, projectCode) => {
+  const hrefNodes = indexPage.querySelectorAll("[href]");
+
+  hrefNodes.forEach((hrefNode) => {
+    const projectFile = projectCode.find(
+      (file) => `${file.name}.${file.extension}` === hrefNode.attrs.href,
+    );
+
+    if (hrefNode.attrs?.target === "_blank") {
+      hrefNode.removeAttribute("target");
+    }
+
+    let onClick;
+
+    if (!!projectFile) {
+      if (parentTag(hrefNode, "head")) {
+        const projectFileBlob = getBlobURL(
+          cssProjectImgs(projectFile, projectMedia).content,
+          mimeTypes.lookup(`${projectFile.name}.${projectFile.extension}`),
+        );
+        hrefNode.setAttribute("href", projectFileBlob);
+      } else {
+        // eslint-disable-next-line no-script-url
+        hrefNode.setAttribute("href", "javascript:void(0)");
+        onClick = `window.parent.postMessage({msg: 'RELOAD', payload: { linkTo: '${projectFile.name}' }})`;
+      }
+    } else {
+      const matchingExternalHref = matchingRegexes(
+        allowedExternalLinks,
+        hrefNode.attrs.href,
+      );
+      const matchingInternalHref = matchingRegexes(
+        allowedInternalLinks,
+        hrefNode.attrs.href,
+      );
+      if (
+        !matchingInternalHref &&
+        !matchingExternalHref &&
+        !parentTag(hrefNode, "head")
+      ) {
+        // eslint-disable-next-line no-script-url
+        hrefNode.setAttribute("href", "javascript:void(0)");
+        onClick = "window.parent.postMessage({msg: 'ERROR: External link'})";
+      } else if (matchingExternalHref) {
+        onClick = `window.parent.postMessage({msg: 'Allowed external link', payload: { linkTo: '${hrefNode.attrs.href}' }})`;
+      }
+    }
+
+    if (onClick) {
+      hrefNode.removeAttribute("target");
+      hrefNode.setAttribute("onclick", onClick);
+    }
+  });
+};
+
+const replaceSrcNodes = (
+  indexPage,
+  projectMedia,
+  projectCode,
+  attr = "src",
+) => {
+  const srcNodes = indexPage.querySelectorAll(`[${attr}]`);
+
+  srcNodes.forEach((srcNode) => {
+    const projectMediaFile = projectMedia.find(
+      (component) => component.filename === srcNode.attrs[attr],
+    );
+    const projectTextFile = projectCode.find(
+      (file) => `${file.name}.${file.extension}` === srcNode.attrs[attr],
+    );
+
+    let src = "";
+    if (!!projectMediaFile) {
+      src = projectMediaFile.url;
+    } else if (!!projectTextFile) {
+      src = getBlobURL(
+        projectTextFile.content,
+        mimeTypes.lookup(
+          `${projectTextFile.name}.${projectTextFile.extension}`,
+        ),
+      );
+    } else if (matchingRegexes(allowedExternalLinks, srcNode.attrs[attr])) {
+      src = srcNode.attrs[attr];
+    }
+    srcNode.setAttribute(attr, src);
+    srcNode.setAttribute("crossorigin", true);
+  });
+};
+
+export function HtmlRenderer() {
+  const [previewHtml, setPreviewHtml] = useState();
+
+  const listener = useCallback(
+    (event) => {
+      // todo: validate message origin
+      const message = event.data;
+      if (message?.current) {
+        const transformedHtml = parse(message.current);
+
+        replaceHrefNodes(transformedHtml, message.media, message.code);
+        replaceSrcNodes(transformedHtml, message.media, message.code);
+        replaceSrcNodes(
+          transformedHtml,
+          message.media,
+          message.code,
+          "data-src",
+        );
+
+        setPreviewHtml(transformedHtml);
+      }
+    },
+    [setPreviewHtml],
+  );
+
+  useEffect(() => {
+    window.addEventListener("message", listener);
+    const source = window.opener || window.parent;
+    if (source) {
+      source.postMessage({ ready: true }, "*");
+    }
+    return () => window.removeEventListener("message", listener);
+  }, [listener]);
+
+  return previewHtml ? (
+    <iframe
+      className={"htmlrunner-iframe"}
+      // style={{
+      //   border: "none",
+      //   backgroundColor: "white",
+      //   blockSize: "100%",
+      //   inlineSize: "100%",
+      // }}
+      title={"preview-sandbox"}
+      srcDoc={previewHtml}
+    />
+  ) : (
+    <></>
+  );
+}
diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
index 218e4df60..6226ee2fc 100644
--- a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
@@ -4,7 +4,6 @@ import React, { useRef, useEffect, useState } from "react";
 import { useDispatch, useSelector } from "react-redux";
 import { parse } from "node-html-parser";
 import { useMediaQuery } from "react-responsive";
-import mimeTypes from "mime-types";
 
 import {
   setPage,
@@ -15,12 +14,7 @@ import {
   setLoadedRunner,
 } from "../../../../redux/EditorSlice";
 
-import {
-  useExternalLinkState,
-  matchingRegexes,
-  allowedExternalLinks,
-  allowedInternalLinks,
-} from "../../../../utils/externalLinkHelper";
+import { useExternalLinkState } from "../../../../utils/externalLinkHelper";
 
 import { useTranslation } from "react-i18next";
 import { Tab, TabList, TabPanel, Tabs } from "react-tabs";
@@ -99,11 +93,6 @@ function HtmlRunner() {
     handleExternalLinkError,
   } = useExternalLinkState(showModal);
 
-  const getBlobURL = (code, type) => {
-    const blob = new Blob([code], { type });
-    return URL.createObjectURL(blob);
-  };
-
   const getFilename = (iframe) => {
     let filename;
     if (iframe) {
@@ -116,24 +105,6 @@ function HtmlRunner() {
     return filename;
   };
 
-  const cssProjectImgs = (projectFile) => {
-    var updatedProjectFile = { ...projectFile };
-    if (projectFile.extension === "css") {
-      projectMedia.forEach((media_file) => {
-        const find = new RegExp(`['"]${media_file.filename}['"]`, "g"); // prevent substring matches
-        const replace = `"${media_file.url}"`;
-        updatedProjectFile.content = updatedProjectFile.content.replaceAll(
-          find,
-          replace,
-        );
-      });
-    }
-    return updatedProjectFile;
-  };
-
-  const parentTag = (node, tag) =>
-    node.parentNode?.tagName && node.parentNode.tagName.toLowerCase() === tag;
-
   const eventListener = () => {
     window.addEventListener("message", (event) => {
       if (typeof event.data?.msg === "string") {
@@ -229,190 +200,24 @@ function HtmlRunner() {
     }
   }, [runningFile]);
 
-  const replaceHrefNodes = (indexPage, projectCode) => {
-    const hrefNodes = indexPage.querySelectorAll("[href]");
-
-    hrefNodes.forEach((hrefNode) => {
-      const projectFile = projectCode.find(
-        (file) => `${file.name}.${file.extension}` === hrefNode.attrs.href,
-      );
-
-      if (hrefNode.attrs?.target === "_blank") {
-        hrefNode.removeAttribute("target");
-      }
-
-      let onClick;
-
-      if (!!projectFile) {
-        if (parentTag(hrefNode, "head")) {
-          const projectFileBlob = getBlobURL(
-            cssProjectImgs(projectFile).content,
-            mimeTypes.lookup(`${projectFile.name}.${projectFile.extension}`),
-          );
-          hrefNode.setAttribute("href", projectFileBlob);
-        } else {
-          // eslint-disable-next-line no-script-url
-          hrefNode.setAttribute("href", "javascript:void(0)");
-          onClick = `window.parent.postMessage({msg: 'RELOAD', payload: { linkTo: '${projectFile.name}' }})`;
-        }
-      } else {
-        const matchingExternalHref = matchingRegexes(
-          allowedExternalLinks,
-          hrefNode.attrs.href,
-        );
-        const matchingInternalHref = matchingRegexes(
-          allowedInternalLinks,
-          hrefNode.attrs.href,
-        );
-        if (
-          !matchingInternalHref &&
-          !matchingExternalHref &&
-          !parentTag(hrefNode, "head")
-        ) {
-          // eslint-disable-next-line no-script-url
-          hrefNode.setAttribute("href", "javascript:void(0)");
-          onClick = "window.parent.postMessage({msg: 'ERROR: External link'})";
-        } else if (matchingExternalHref) {
-          onClick = `window.parent.postMessage({msg: 'Allowed external link', payload: { linkTo: '${hrefNode.attrs.href}' }})`;
-        }
-      }
-
-      if (onClick) {
-        hrefNode.removeAttribute("target");
-        hrefNode.setAttribute("onclick", onClick);
-      }
-    });
-  };
-
-  const replaceSrcNodes = (
-    indexPage,
-    projectMedia,
-    projectCode,
-    attr = "src",
-  ) => {
-    const srcNodes = indexPage.querySelectorAll(`[${attr}]`);
-
-    srcNodes.forEach((srcNode) => {
-      const projectMediaFile = projectMedia.find(
-        (component) => component.filename === srcNode.attrs[attr],
-      );
-      const projectTextFile = projectCode.find(
-        (file) => `${file.name}.${file.extension}` === srcNode.attrs[attr],
-      );
-
-      let src = "";
-      if (!!projectMediaFile) {
-        src = projectMediaFile.url;
-      } else if (!!projectTextFile) {
-        src = getBlobURL(
-          projectTextFile.content,
-          mimeTypes.lookup(
-            `${projectTextFile.name}.${projectTextFile.extension}`,
-          ),
-        );
-      } else if (matchingRegexes(allowedExternalLinks, srcNode.attrs[attr])) {
-        src = srcNode.attrs[attr];
-      }
-      srcNode.setAttribute(attr, src);
-      srcNode.setAttribute("crossorigin", true);
-    });
-  };
-
   const runCode = () => {
     setRunningFile(previewFile);
 
     if (!externalLink) {
       const indexPage = parse(focussedComponent(previewFile).content);
       const body = indexPage.querySelector("body") || indexPage;
-      const htmlRoot = indexPage.querySelector("html") ?? indexPage;
-
-      const disableLocalStorageScript = `
-        <script>
-          (function () {
-            "use strict";
-            const isBlocked = (key) =>
-              typeof key === "string" && (key === "authKey" || key.startsWith("oidc."));
-            const wrapLocal = (storage) =>
-              storage && {
-                getItem(key) {
-                  return isBlocked(key) ? null : storage.getItem(key);
-                },
-                setItem(key, value) {
-                  if (!isBlocked(key)) storage.setItem(key, value);
-                },
-                removeItem(key) {
-                  if (!isBlocked(key)) storage.removeItem(key);
-                },
-                clear() {},
-                key(index) {
-                  const name = storage.key(index);
-                  return isBlocked(name) ? null : name;
-                },
-                get length() {
-                  return storage?.length ?? 0;
-                },
-              };
-            const apply = (host) => {
-              if (!host) return;
-              try {
-                const guarded = wrapLocal(host.localStorage);
-                if (!guarded) return;
-                Object.defineProperty(host, "localStorage", {
-                  configurable: false,
-                  enumerable: false,
-                  get: () => guarded,
-                  set: () => undefined,
-                });
-              } catch (_) {}
-            };
-            [window, window.parent, window.top, document.defaultView].forEach(apply);
-          })();
-        </script>
-      `;
-
-      const disableSessionStorageScript = `
-        <script>
-          (function () {
-            "use strict";
-            const stub = {
-              getItem: () => null,
-              setItem: () => undefined,
-              removeItem: () => undefined,
-              clear: () => undefined,
-              key: () => null,
-              get length() {
-                return 0;
-              },
-            };
-            const apply = (host) => {
-              if (!host) return;
-              try {
-                Object.defineProperty(host, "sessionStorage", {
-                  configurable: false,
-                  enumerable: false,
-                  get: () => stub,
-                  set: () => undefined,
-                });
-              } catch (_) {}
-            };
-            [window, window.parent, window.top, document.defaultView].forEach(apply);
-          })();
-        </script>
-      `;
-
-      // insert scripts to disable access to specific localStorage keys and sessionStorage
-      // entirely, they are both potential security risks when executing untrusted code
-      htmlRoot.insertAdjacentHTML("afterbegin", disableLocalStorageScript);
-      htmlRoot.insertAdjacentHTML("afterbegin", disableSessionStorageScript);
-
-      replaceHrefNodes(indexPage, projectCode);
-      replaceSrcNodes(indexPage, projectMedia, projectCode);
-      replaceSrcNodes(indexPage, projectMedia, projectCode, "data-src");
-
       body.appendChild(parse(`<meta filename="${previewFile}" />`));
 
-      const blob = getBlobURL(indexPage.toString(), "text/html");
-      output.current.src = blob;
+      output.current.contentWindow.postMessage(
+        {
+          type: "editor-html-preview",
+          code: projectCode,
+          media: projectMedia,
+          current: indexPage.toString(),
+        },
+        // todo: set correct targetOrigin value
+        "*",
+      );
 
       if (codeRunTriggered) {
         dispatch(codeRunHandled());
@@ -458,6 +263,7 @@ function HtmlRunner() {
               id="output-frame"
               title={t("runners.HtmlOutput")}
               ref={output}
+              src={process.env.HTML_RENDERER_URL}
               onLoad={iframeReload}
             />
           </TabPanel>
diff --git a/src/html-renderer.jsx b/src/html-renderer.jsx
new file mode 100644
index 000000000..e4742feb1
--- /dev/null
+++ b/src/html-renderer.jsx
@@ -0,0 +1,11 @@
+import React from "react";
+import { createRoot } from "react-dom/client";
+import { HtmlRenderer } from "./components/Editor/Runners/HtmlRunner/HtmlRenderer";
+
+const root = createRoot(document.getElementById("root"));
+
+root.render(
+  <React.StrictMode>
+    <HtmlRenderer />
+  </React.StrictMode>,
+);
diff --git a/webpack.html-renderer.config.js b/webpack.html-renderer.config.js
new file mode 100644
index 000000000..1167f312d
--- /dev/null
+++ b/webpack.html-renderer.config.js
@@ -0,0 +1,99 @@
+const path = require("path");
+const Dotenv = require("dotenv-webpack");
+const HtmlWebpackPlugin = require("html-webpack-plugin");
+
+let publicUrl = process.env.PUBLIC_URL || "/";
+if (!publicUrl.endsWith("/")) {
+  publicUrl += "/";
+}
+
+module.exports = {
+  entry: {
+    "html-renderer": path.resolve(__dirname, "./src/html-renderer.jsx"),
+  },
+  module: {
+    rules: [
+      {
+        test: /\.(js|jsx)$/,
+        exclude: /node_modules/,
+        use: ["babel-loader"],
+      },
+      {
+        test: /\.css$/,
+        use: ["style-loader", "css-loader"],
+      },
+      {
+        test: /\.s[ac]ss$/i,
+        exclude: [/node_modules/],
+        use: [
+          {
+            loader: "style-loader",
+          },
+          {
+            loader: "css-loader",
+          },
+          {
+            loader: "resolve-url-loader",
+          },
+          {
+            loader: "sass-loader",
+            options: {
+              api: "modern",
+              sassOptions: {
+                loadPaths: [path.resolve(__dirname, "node_modules")],
+              },
+              sourceMap: true,
+            },
+          },
+        ],
+      },
+    ],
+  },
+  resolve: {
+    extensions: [".*", ".js", ".jsx", ".css"],
+    fallback: {
+      stream: require.resolve("stream-browserify"),
+      assert: require.resolve("assert"),
+      path: require.resolve("path-browserify"),
+      url: require.resolve("url/"),
+    },
+  },
+  output: {
+    path: path.resolve(__dirname, "./build-html-renderer"),
+    filename: "[name].js",
+    publicPath: publicUrl,
+    workerPublicPath: publicUrl,
+  },
+  devServer: {
+    host: "0.0.0.0",
+    allowedHosts: "all",
+    port: 3003,
+    liveReload: true,
+    hot: false,
+    static: [
+      {
+        directory: path.join(__dirname, "public"),
+      },
+    ],
+    headers: {
+      // todo: check these
+      "Access-Control-Allow-Origin": "*",
+      "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
+      "Access-Control-Allow-Headers":
+        "X-Requested-With, content-type, Authorization",
+      "Cross-Origin-Opener-Policy": "same-origin",
+      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Resource-Policy": "cross-origin",
+    },
+  },
+  plugins: [
+    new Dotenv({
+      path: "./.env",
+      systemvars: true,
+    }),
+    new HtmlWebpackPlugin({
+      template: "public/index-html-renderer.html",
+    }),
+  ],
+  stats: "minimal",
+};

From 013e419761b345ede18536a17a93c495e7a00439 Mon Sep 17 00:00:00 2001
From: Matthew Trew <matthew.trew@raspberrypi.org>
Date: Fri, 27 Mar 2026 20:12:27 +0000
Subject: [PATCH 2/5] Wait for renderer to be ready

This prevents the project HTML etc. being sent before the renderer
has initialised, which was resulting in the the message being missed
and the Run button appearing to do nothing when initially clicked.
---
 .../Editor/Runners/HtmlRunner/HtmlRunner.jsx  | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
index 6226ee2fc..cd5abbae5 100644
--- a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.jsx
@@ -1,6 +1,6 @@
 /* eslint-disable react-hooks/exhaustive-deps */
 import "../../../../assets/stylesheets/HtmlRunner.scss";
-import React, { useRef, useEffect, useState } from "react";
+import React, { useRef, useEffect, useState, useCallback } from "react";
 import { useDispatch, useSelector } from "react-redux";
 import { parse } from "node-html-parser";
 import { useMediaQuery } from "react-responsive";
@@ -48,6 +48,8 @@ function HtmlRunner() {
   const browserPreview = useSelector((state) => state.editor.browserPreview);
   const page = useSelector((state) => state.editor.page);
 
+  const [rendererReady, setRendererReady] = useState(false);
+
   const { t, i18n } = useTranslation();
   const locale = i18n.language;
 
@@ -171,10 +173,10 @@ function HtmlRunner() {
   }, [previewFile]);
 
   useEffect(() => {
-    if (codeRunTriggered) {
+    if (codeRunTriggered && rendererReady) {
       runCode();
     }
-  }, [codeRunTriggered]);
+  }, [codeRunTriggered, rendererReady]);
 
   useEffect(() => {
     if (
@@ -200,6 +202,22 @@ function HtmlRunner() {
     }
   }, [runningFile]);
 
+  useEffect(() => {
+    window.addEventListener("message", listener);
+    return () => window.removeEventListener("message", listener);
+  });
+
+  const listener = useCallback(
+    (event) => {
+      const message = event.data;
+      // todo: validate message source
+      if (message.ready === true) {
+        setRendererReady(true);
+      }
+    },
+    [setRendererReady],
+  );
+
   const runCode = () => {
     setRunningFile(previewFile);
 

From 6ba5dde8c99bc548c52601f5d6be5c0e334a81a6 Mon Sep 17 00:00:00 2001
From: Matthew Trew <matthew.trew@raspberrypi.org>
Date: Mon, 30 Mar 2026 19:09:36 +0200
Subject: [PATCH 3/5] Remove unused inline style

---
 src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
index 23f63891d..c3cf36121 100644
--- a/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
@@ -157,12 +157,6 @@ export function HtmlRenderer() {
   return previewHtml ? (
     <iframe
       className={"htmlrunner-iframe"}
-      // style={{
-      //   border: "none",
-      //   backgroundColor: "white",
-      //   blockSize: "100%",
-      //   inlineSize: "100%",
-      // }}
       title={"preview-sandbox"}
       srcDoc={previewHtml}
     />

From eb74fb2f76c9c5a5ec8e5d1735d31b9b2fcd7d68 Mon Sep 17 00:00:00 2001
From: Matthew Trew <matthew.trew@raspberrypi.org>
Date: Tue, 31 Mar 2026 23:33:22 +0100
Subject: [PATCH 4/5] Remove obsolete HtmlRunner tests

These tests no longer work, and I'm not sure whether it's possible
to use RTL to read the contents of the new inner iframe. There are
duplicate Cypress tests for many of these, and Cypress is a lot easier
to work with in this case so I will make the changes there.
---
 .../Runners/HtmlRunner/HtmlRunner.test.js     | 360 +-----------------
 1 file changed, 2 insertions(+), 358 deletions(-)

diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.test.js b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.test.js
index e797c6cf7..fa9b94fdf 100644
--- a/src/components/Editor/Runners/HtmlRunner/HtmlRunner.test.js
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRunner.test.js
@@ -3,7 +3,7 @@ import { render, screen } from "@testing-library/react";
 import React from "react";
 import { Provider } from "react-redux";
 import HtmlRunner from "./HtmlRunner";
-import { codeRunHandled, triggerCodeRun } from "../../../../redux/EditorSlice";
+import { triggerCodeRun } from "../../../../redux/EditorSlice";
 import { MemoryRouter } from "react-router-dom";
 import { matchMedia, setMedia } from "mock-match-media";
 import { MOBILE_BREAKPOINT } from "../../../../utils/mediaQueryBreakpoints";
@@ -27,18 +27,6 @@ const anotherHTMLPage = {
   extension: "html",
   content: "<head></head><body><p>My amazing page</p></body>",
 };
-const internalLinkHTMLPage = {
-  name: "internal_link",
-  extension: "html",
-  content: '<head></head><body><a href="test.html">ANCHOR LINK!</a></body>',
-};
-
-const allowedExternalLink = {
-  name: "allowed_external_link",
-  extension: "html",
-  content:
-    '<head></head><body><a href="https://rpf.io/seefood">RPF link</a></body>',
-};
 
 describe("When page first loaded", () => {
   let store;
@@ -107,7 +95,7 @@ describe("When focussed on another HTML file", () => {
   });
 
   test("Does not show page related to focussed file", () => {
-    expect(Blob).not.toHaveBeenCalled();
+    // expect(Blob).not.toHaveBeenCalled();
   });
 });
 
@@ -242,350 +230,6 @@ describe("When page does not exist", () => {
   });
 });
 
-describe("When run is triggered", () => {
-  let store;
-
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [indexPage],
-        },
-        focussedFileIndices: [0],
-        openFiles: [["index.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-  });
-
-  test("Runs HTML code and adds meta tag", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain("<p>hello world</p>");
-    expect(generatedHtml).toContain('<meta filename="index.html"');
-  });
-
-  test("Dispatches action to end code run", () => {
-    expect(store.getActions()).toEqual(
-      expect.arrayContaining([codeRunHandled()]),
-    );
-  });
-
-  test("Includes localStorage disabling script for disallowed keys in the iframe", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain("<script>");
-    expect(generatedHtml).toContain("const isBlocked = (key) =>");
-    expect(generatedHtml).toContain(
-      'typeof key === "string" && (key === "authKey" || key.startsWith("oidc."));',
-    );
-    expect(generatedHtml).toContain(
-      'Object.defineProperty(host, "localStorage"',
-    );
-    expect(generatedHtml).toContain("getItem(key) {");
-    expect(generatedHtml).toContain(
-      "return isBlocked(key) ? null : storage.getItem(key);",
-    );
-    expect(generatedHtml).toContain(
-      "[window, window.parent, window.top, document.defaultView].forEach(apply);",
-    );
-    expect(generatedHtml).toContain("</script>");
-  });
-
-  test("Includes localSession disabling script to prevent all access to the session object", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain("<script>");
-    expect(generatedHtml).toContain(
-      'Object.defineProperty(host, "sessionStorage"',
-    );
-    expect(generatedHtml).toContain("get: () => stub");
-    expect(generatedHtml).toContain("set: () => undefined");
-    expect(generatedHtml).toContain(
-      "[window, window.parent, window.top, document.defaultView].forEach(apply);",
-    );
-    expect(generatedHtml).toContain("</script>");
-  });
-});
-
-describe("When a non-permitted external link is rendered", () => {
-  let store;
-  const input =
-    '<head></head><body><a href="https://google.test/">EXTERNAL LINK!</a></body>';
-
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [
-            {
-              name: "index",
-              extension: "html",
-              content: input,
-            },
-          ],
-        },
-        focussedFileIndices: [0],
-        openFiles: [["index.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-  });
-
-  test("Transforms the external link and includes the meta tag", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain('<a href="javascript:void(0)"');
-    expect(generatedHtml).toContain(
-      "onclick=\"window.parent.postMessage({msg: 'ERROR: External link'})\"",
-    );
-    expect(generatedHtml).toContain("EXTERNAL LINK!");
-    expect(generatedHtml).toContain('<meta filename="index.html"');
-  });
-});
-
-describe("When a new tab link is rendered", () => {
-  let store;
-  const input =
-    '<head></head><body><a href="index.html" target="_blank">NEW TAB LINK!</a></body>';
-
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [
-            indexPage,
-            {
-              name: "some_file",
-              extension: "html",
-              content: input,
-            },
-          ],
-        },
-        focussedFileIndices: [1],
-        openFiles: [["index.html", "some_file.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-  });
-
-  test("Removes target attribute and adds onclick event", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).not.toContain('target="_blank"');
-    expect(generatedHtml).toContain('<a href="javascript:void(0)"');
-    expect(generatedHtml).toContain(
-      "onclick=\"window.parent.postMessage({msg: 'RELOAD', payload: { linkTo: 'index' }})\"",
-    );
-    expect(generatedHtml).toContain("NEW TAB LINK!");
-    expect(generatedHtml).toContain('<meta filename="some_file.html"');
-  });
-});
-
-describe("When an internal link is rendered", () => {
-  let store;
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [
-            internalLinkHTMLPage,
-            {
-              name: "test",
-              extension: "html",
-              content: "<p>test file</p>",
-            },
-          ],
-        },
-        focussedFileIndices: [0],
-        openFiles: [["internal_link.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-  });
-
-  test("Transforms internal link and includes meta tag", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain('<a href="javascript:void(0)"');
-    expect(generatedHtml).toContain(
-      "onclick=\"window.parent.postMessage({msg: 'RELOAD', payload: { linkTo: 'test' }})\"",
-    );
-    expect(generatedHtml).toContain("ANCHOR LINK!");
-    expect(generatedHtml).toContain('<meta filename="internal_link.html"');
-  });
-});
-
-describe("When an allowed external link is rendered", () => {
-  let store;
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [allowedExternalLink],
-        },
-        focussedFileIndices: [0],
-        openFiles: [["allowed_external_link.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-  });
-
-  test("Transforms allowed external link and includes meta tag", () => {
-    const [generatedHtml] = Blob.mock.calls[0][0];
-
-    expect(generatedHtml).toContain('<a href="https://rpf.io/seefood"');
-    expect(generatedHtml).toContain(
-      "onclick=\"window.parent.postMessage({msg: 'Allowed external link', payload: { linkTo: 'https://rpf.io/seefood' }})\"",
-    );
-    expect(generatedHtml).toContain("RPF link");
-    expect(generatedHtml).toContain(
-      '<meta filename="allowed_external_link.html"',
-    );
-  });
-});
-
-describe("When media is rendered", () => {
-  const mediaHTML =
-    '<head></head><body><img src="image.jpeg" /><video src="video.mp4" /><audio src="audio.mp3" /></body>';
-  let generatedHtml;
-  beforeEach(() => {
-    const middlewares = [];
-    const mockStore = configureStore(middlewares);
-    const initialState = {
-      editor: {
-        project: {
-          components: [
-            { name: "index", extension: "html", content: mediaHTML },
-          ],
-          image_list: [
-            {
-              filename: "image.jpeg",
-              url: "https://example.com/image.jpeg",
-            },
-          ],
-          videos: [
-            {
-              filename: "video.mp4",
-              url: "https://example.com/video.mp4",
-            },
-          ],
-          audio: [
-            {
-              filename: "audio.mp3",
-              url: "https://example.com/audio.mp3",
-            },
-          ],
-        },
-        focussedFileIndices: [0],
-        openFiles: [["index.html"]],
-        codeRunTriggered: true,
-        codeHasBeenRun: true,
-        errorModalShowing: false,
-      },
-    };
-    const store = mockStore(initialState);
-    render(
-      <Provider store={store}>
-        <MemoryRouter>
-          <div id="app">
-            <HtmlRunner />
-          </div>
-        </MemoryRouter>
-      </Provider>,
-    );
-    [generatedHtml] = Blob.mock.calls[0][0];
-  });
-
-  test("Transforms image sources", () => {
-    expect(generatedHtml).toContain(
-      '<img src="https://example.com/image.jpeg"',
-    );
-  });
-
-  test("Transforms video sources", () => {
-    expect(generatedHtml).toContain(
-      '<video src="https://example.com/video.mp4"',
-    );
-  });
-
-  test("Transforms audio sources", () => {
-    expect(generatedHtml).toContain(
-      '<audio src="https://example.com/audio.mp3"',
-    );
-  });
-});
-
 describe("When on desktop", () => {
   let store;
 

From 9c063f04d720dc2b9fbde18efcd483068ecfae64 Mon Sep 17 00:00:00 2001
From: Matthew Trew <matthew.trew@raspberrypi.org>
Date: Tue, 31 Mar 2026 23:41:21 +0100
Subject: [PATCH 5/5] Update Cypress tests, handle links as before

---
 cypress/e2e/spec-html.cy.js                   | 99 ++++++++++---------
 .../Runners/HtmlRunner/HtmlRenderer.jsx       | 28 +++++-
 2 files changed, 75 insertions(+), 52 deletions(-)

diff --git a/cypress/e2e/spec-html.cy.js b/cypress/e2e/spec-html.cy.js
index 7f3041aa9..b182de879 100644
--- a/cypress/e2e/spec-html.cy.js
+++ b/cypress/e2e/spec-html.cy.js
@@ -9,6 +9,8 @@ const getIframeDocument = () => {
     .shadow()
     .find("iframe[class=htmlrunner-iframe]")
     .its("0.contentDocument")
+    .find("iframe[title=preview-sandbox]")
+    .its("0.contentDocument")
     .should("exist");
 };
 
@@ -30,6 +32,14 @@ const makeNewFile = (filename = "new.html") => {
     .click();
 };
 
+const getEditorInput = () => {
+  return cy.get("editor-wc").shadow().find("div[class=cm-content]");
+};
+
+const getRunButton = () => {
+  return cy.get("editor-wc").shadow().find(".btn--run");
+};
+
 beforeEach(() => {
   // intercept request to editor api
   cy.intercept(
@@ -41,60 +51,51 @@ beforeEach(() => {
   );
 });
 
-it("blocks access to localStorage authKey", () => {
+it("blocks access to parent localStorage", () => {
+  // Arrange
   localStorage.clear();
-  cy.visit(baseUrl);
-  cy.get("editor-wc")
-    .shadow()
-    .find("div[class=cm-content]")
-    .invoke(
-      "text",
-      `<p>authKey: <span id="authKey"></span></p>
-<script>
-  localStorage.setItem("authKey", "secret")
-  const authKey = localStorage.getItem("authKey")
-  document.getElementById("authKey").innerHTML = \`\${authKey}\`
-</script>`,
-    );
-  cy.get("editor-wc").shadow().find(".btn--run").click();
-  getIframeBody().find("p").should("include.text", "authKey: null");
-});
+  localStorage.setItem("parentKey", "secretValue");
 
-it("blocks access to localStorage OIDC keys", () => {
-  localStorage.clear();
   cy.visit(baseUrl);
-  cy.get("editor-wc")
-    .shadow()
-    .find("div[class=cm-content]")
-    .invoke(
-      "text",
-      `<p>oidcUser: <span id="oidcUser"></span></p>
+
+  // Act
+  const input = getEditorInput();
+
+  input.invoke(
+    "text",
+    `<p>parentKey: <span id="s"></span></p>
 <script>
-  localStorage.setItem("oidc.user:https://auth-v1.raspberrypi.org:editor-api", "token")
-  const oidcUser = localStorage.getItem("oidc.user:https://auth-v1.raspberrypi.org:editor-api")
-  document.getElementById("oidcUser").innerHTML = \`\${oidcUser}\`
+  const authKey = localStorage.getItem("parentKey")
+  document.getElementById("s").innerHTML = \`\${authKey}\`
 </script>`,
-    );
-  cy.get("editor-wc").shadow().find(".btn--run").click();
-  getIframeBody().find("p").should("include.text", "oidcUser: null");
+  );
+  getRunButton().click();
+
+  // Assert
+  getIframeBody().find("p").should("include.text", "parentKey: null");
 });
 
-it("allows access to other localStorage keys", () => {
+it("allows access to localStorage", () => {
+  // Arrange
   localStorage.clear();
   cy.visit(baseUrl);
-  cy.get("editor-wc")
-    .shadow()
-    .find("div[class=cm-content]")
-    .invoke(
-      "text",
-      `<p>foo: <span id="foo"></span></p>
+
+  // Act
+  const input = getEditorInput();
+
+  input.invoke(
+    "text",
+    `<p>foo: <span id="foo"></span></p>
 <script>
   localStorage.setItem("foo", "bar")
   const foo = localStorage.getItem("foo")
   document.getElementById("foo").innerHTML = \`\${foo}\`
 </script>`,
-    );
-  cy.get("editor-wc").shadow().find(".btn--run").click();
+  );
+
+  getRunButton().click();
+
+  // Assert
   getIframeBody().find("p").should("include.text", "foo: bar");
 });
 
@@ -130,17 +131,19 @@ it("updates the preview after a change when you click run", () => {
 });
 
 it("blocks non-permitted external links", () => {
+  // Arrange
   localStorage.clear();
   cy.visit(baseUrl);
-  cy.get("editor-wc")
-    .shadow()
-    .find("div[class=cm-content]")
-    .invoke(
-      "text",
-      '<a href="https://raspberrypi.org/en/">some external link</a>',
-    );
-  cy.get("editor-wc").shadow().find(".btn--run").click();
+
+  // Act
+  getEditorInput().invoke(
+    "text",
+    '<a href="https://raspberrypi.org/en/">some external link</a>',
+  );
+  getRunButton().click();
   getIframeBody().find("a").click();
+
+  // Assert
   cy.get("editor-wc")
     .shadow()
     .find("div[class=modal-content__header]")
diff --git a/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
index c3cf36121..2cbc4f8fa 100644
--- a/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
+++ b/src/components/Editor/Runners/HtmlRunner/HtmlRenderer.jsx
@@ -123,9 +123,10 @@ const replaceSrcNodes = (
 export function HtmlRenderer() {
   const [previewHtml, setPreviewHtml] = useState();
 
-  const listener = useCallback(
+  const handlePreviewUpdateFromHost = useCallback(
     (event) => {
       // todo: validate message origin
+      // todo: use "type" to check what kind of message this is
       const message = event.data;
       if (message?.current) {
         const transformedHtml = parse(message.current);
@@ -145,14 +146,31 @@ export function HtmlRenderer() {
     [setPreviewHtml],
   );
 
+  const handleEventFromPreview = (event) => {
+    // todo: validate message origin
+    const message = event.data;
+    // todo: use "type" to check what kind of message this is
+    if (typeof event.data?.msg === "string") {
+      // Forward events originating from the previewed code back to the host
+      // todo: set appropriate target origin
+      window.parent.postMessage(message, "*");
+    }
+  };
+
   useEffect(() => {
-    window.addEventListener("message", listener);
+    window.addEventListener("message", handlePreviewUpdateFromHost);
+    window.addEventListener("message", handleEventFromPreview);
+
     const source = window.opener || window.parent;
     if (source) {
+      // todo: set appropriate target origin
       source.postMessage({ ready: true }, "*");
     }
-    return () => window.removeEventListener("message", listener);
-  }, [listener]);
+    return () => {
+      window.removeEventListener("message", handlePreviewUpdateFromHost);
+      window.removeEventListener("message", handleEventFromPreview);
+    };
+  }, [handlePreviewUpdateFromHost]);
 
   return previewHtml ? (
     <iframe
@@ -164,3 +182,5 @@ export function HtmlRenderer() {
     <></>
   );
 }
+
+export default HtmlRenderer;