diff --git a/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx b/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx index 4573907f..62cdbab1 100644 --- a/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx +++ b/src/components/code-editor/view/subcomponents/CodeEditorMediaPreview.tsx @@ -142,6 +142,13 @@ export default function CodeEditorMediaPreview({ // stale URL from the previous file is never rendered during a switch. const currentUrl = url && loadedKey === sourceKey ? url : null; + // SVGs render safely inline via (scripts don't execute there), but the + // open-in-new-tab link is a top-level navigation. A blob URL inherits the + // app's origin, so a user-controlled SVG with an embedded