iframe sandbox attribute with no value not works #473
Description
Want to use iframe to render some urls in the native app, in order to void XSS issue, we want to block the sandbox.
Expected: when sandbox with no value, the page should not able to allow scripts, and in in customRender the attributes should contain sandbox, src, etc
Actually: The script can execute when click the button in page which render by iframe, and in customRender there is no attributes print for iframe
Html(
data: '''
<div>
<iframe
sandbox
title="W3Schools Free Online Web Tutorials"
width=$width
height=$height
src='https://www.w3schools.com/tags/demo_iframe_sandbox.htm'
></iframe>
<span role="title">test</span>
</div>
''',
customRender: {
'iframe': (RenderContext context, Widget child, attributes, _) {
print('------attributes $attributes');
return Text('iframe');
},
'span': (RenderContext context, Widget child, attributes, _) {
print('-----span -attributes $attributes');
return Text('test span');
},
},
)