From f8bdfcbabacc023ba12d1459d15c27879413e83f Mon Sep 17 00:00:00 2001
From: Henning Dieterichs <hdieterichs@microsoft.com>
Date: Wed, 15 Feb 2023 16:43:32 +0100
Subject: [PATCH] Don't load code when not in sandbox.

---
 website/src/runner/index.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/website/src/runner/index.ts b/website/src/runner/index.ts
index 51105bd0..590d17cb 100644
--- a/website/src/runner/index.ts
+++ b/website/src/runner/index.ts
@@ -8,6 +8,12 @@ import { IMessage, IPreviewState } from "../shared";
 import "./style.scss";
 
 window.addEventListener("message", (event) => {
+	const isInSandbox = window.origin === "null";
+	if (!isInSandbox) {
+		// To prevent someone from using this html file to run arbitrary code in non-sandboxed context
+		console.error("not in sandbox");
+		return;
+	}
 	const e = event.data as IMessage | { kind: undefined };
 	if (e.kind === "initialize") {
 		initialize(e.state);
@@ -43,7 +49,9 @@ async function initialize(state: IPreviewState) {
 		eval(state.js);
 	} catch (err) {
 		const pre = document.createElement("pre");
-		pre.appendChild(document.createTextNode(`${err}`));
+		pre.appendChild(
+			document.createTextNode(`${err}: ${(err as any).state}`)
+		);
 		document.body.insertBefore(pre, document.body.firstChild);
 	}
 }