Minor improvements and fixes

Author: Tim-Maes

src/BlazorFrame.Tests/Services/MessageValidationServiceTests.cs

@@ -187,7 +187,8 @@ public void ValidateMessage_WithStrictValidationAndTooDeepNesting_ReturnsInvalid
         result.IsValid.Should().BeFalse();
 
         // The error message can be either our custom message or the JSON parser's depth limit message
-        (result.ValidationError.Contains("JSON structure is too complex or deeply nested") ||
+        result.ValidationError.Should().NotBeNull();
+        (result.ValidationError!.Contains("JSON structure is too complex or deeply nested") ||
          (result.ValidationError.Contains("Invalid JSON format") && result.ValidationError.Contains("maximum configured depth")))
         .Should().BeTrue("because deep nesting should be detected and reported");
     }
@@ -293,10 +294,6 @@ public void ValidateMessage_WithCustomValidatorThrowingException_ReturnsInvalidM
     [InlineData("vbscript:MsgBox('xss')")]
     [InlineData("onload=alert('xss')")]
     [InlineData("onerror=alert('xss')")]
-    [InlineData("eval(maliciousCode)")]
-    [InlineData("Function('return evil')()")]
-    [InlineData("setTimeout(hack, 1000)")]
-    [InlineData("setInterval(malware, 100)")]
     public void ValidateMessage_WithSuspiciousPatterns_ReturnsInvalidMessage(string suspiciousContent)
     {
         // Arrange
@@ -355,11 +352,11 @@ public void ExtractOrigin_WithSpecialSchemes_ReturnsSchemePrefix(string url, str
     [InlineData("invalid-url")]
     [InlineData("ftp://unsupported.com")]
     [InlineData("file:///local/file")]
-    public void ExtractOrigin_WithInvalidUrl_ReturnsNull(string url)
+    public void ExtractOrigin_WithInvalidUrl_ReturnsNull(string? url)
     {
         // Arrange
         // Act
-        var result = _validationService.ExtractOrigin(url);
+        var result = _validationService.ExtractOrigin(url!);
 
         // Assert
         result.Should().BeNull();
@@ -391,13 +388,13 @@ public void ValidateUrl_WithValidUrl_ReturnsValid(string url)
     [Theory]
     [InlineData(null)]
     [InlineData("")]
-    public void ValidateUrl_WithNullOrEmptyUrl_ReturnsInvalid(string url)
+    public void ValidateUrl_WithNullOrEmptyUrl_ReturnsInvalid(string? url)
     {
         // Arrange
         var options = new MessageSecurityOptions();
 
         // Act
-        var (isValid, errorMessage) = _validationService.ValidateUrl(url, options);
+        var (isValid, errorMessage) = _validationService.ValidateUrl(url!, options);
 
         // Assert
         isValid.Should().BeFalse();

src/BlazorFrame/BlazorFrame.csproj

@@ -25,8 +25,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.Web" Version="8.0.16" />
-	<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.16" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.Web" Version="8.0.24" />
+	<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />
   </ItemGroup>
 
 	<ItemGroup>

src/BlazorFrame/BlazorFrame.razor.cs

@@ -370,6 +370,7 @@ protected override void OnParametersSet()
         UpdateAllowedOrigins();
         ValidateConfiguration();
         ValidateSrcUrl();
+        ValidateResizeOptions();
     }
 
     private void ValidateConfiguration()
@@ -405,7 +406,7 @@ private void ValidateConfiguration()
                     MessageType = "configuration-validation"
                 };
 
-                _ = Task.Run(async () =>
+                _ = InvokeAsync(async () =>
                 {
                     try
                     {
@@ -444,7 +445,7 @@ private void ValidateSrcUrl()
                 MessageType = "url-validation"
             };
 
-            _ = Task.Run(async () =>
+            _ = InvokeAsync(async () =>
             {
                 try
                 {
@@ -458,6 +459,18 @@ private void ValidateSrcUrl()
         }
     }
 
+    private void ValidateResizeOptions()
+    {
+        if (ResizeOptions == null)
+            return;
+
+        var errors = ResizeOptions.Validate();
+        foreach (var error in errors)
+        {
+            Logger?.LogError("BlazorFrame ResizeOptions validation error: {Error}", error);
+        }
+    }
+
     protected override async Task OnAfterRenderAsync(bool firstRender)
     {
         if (isInitialized) return;
@@ -725,5 +738,7 @@ public async ValueTask DisposeAsync()
             objRef?.Dispose();
             isInitialized = false;
         }
+        
+        GC.SuppressFinalize(this);
     }
 }

src/BlazorFrame/Messages/MessageSecurityOptions.cs

@@ -5,11 +5,6 @@
 /// </summary>
 public class MessageSecurityOptions
 {
-    /// <summary>
-    /// List of allowed origins. If null or empty, will auto-derive from Src URL.
-    /// </summary>
-    public List<string>? AllowedOrigins { get; set; }
-
     /// <summary>
     /// Whether to perform strict message format validation
     /// </summary>

src/BlazorFrame/Models/ResizeOptions.cs

@@ -53,4 +53,30 @@ public class ResizeOptions
         PollingInterval = 250,
         DebounceMs = 50
     };
+
+    /// <summary>
+    /// Validates the resize options and returns any errors
+    /// </summary>
+    /// <returns>List of validation error messages, empty if valid</returns>
+    public List<string> Validate()
+    {
+        var errors = new List<string>();
+
+        if (MinHeight < 0)
+            errors.Add("MinHeight must be >= 0.");
+
+        if (MaxHeight <= 0)
+            errors.Add("MaxHeight must be > 0.");
+
+        if (MinHeight >= MaxHeight)
+            errors.Add($"MinHeight ({MinHeight}) must be less than MaxHeight ({MaxHeight}).");
+
+        if (PollingInterval <= 0)
+            errors.Add("PollingInterval must be > 0.");
+
+        if (DebounceMs < 0)
+            errors.Add("DebounceMs must be >= 0.");
+
+        return errors;
+    }
 }

src/BlazorFrame/Models/SandboxOptions.cs

@@ -23,8 +23,8 @@ public enum SandboxPreset
     Permissive,
 
     /// <summary>
-    /// Strict sandbox: allow-scripts allow-same-origin (no forms, no popups)
-    /// Suitable for display-only content with limited interaction
+    /// Strict sandbox: allow-scripts allow-same-origin allow-top-navigation-by-user-activation
+    /// Suitable for display-only content with limited interaction and user-initiated navigation
     /// </summary>
     Strict,
 
@@ -52,7 +52,7 @@ public static class SandboxHelper
             SandboxPreset.None => null,
             SandboxPreset.Basic => "allow-scripts allow-same-origin",
             SandboxPreset.Permissive => "allow-scripts allow-same-origin allow-forms allow-popups",
-            SandboxPreset.Strict => "allow-scripts allow-same-origin",
+            SandboxPreset.Strict => "allow-scripts allow-same-origin allow-top-navigation-by-user-activation",
             SandboxPreset.Paranoid => "allow-scripts",
             _ => null
         };

src/BlazorFrame/Services/MessageValidationService.cs

@@ -299,20 +299,27 @@ private static bool ContainsSuspiciousContent(string messageJson)
     {
         var cleanJson = JsonCommentRegex.Replace(messageJson, "");
 
-        var suspiciousPatterns = new[]
+        // HTML injection patterns - these are dangerous in any context
+        var htmlPatterns = new[]
         {
             "<script",
             "javascript:",
             "vbscript:",
+        };
+
+        // HTML event handler patterns - look for attribute-style injection
+        var eventHandlerPatterns = new[]
+        {
             "onload=",
             "onerror=",
-            "eval(",
-            "Function(",
-            "setTimeout(",
-            "setInterval("
+            "onclick=",
+            "onmouseover=",
+            "onfocus=",
         };
 
-        return suspiciousPatterns.Any(pattern => 
+        return htmlPatterns.Any(pattern => 
+            cleanJson.Contains(pattern, StringComparison.OrdinalIgnoreCase))
+            || eventHandlerPatterns.Any(pattern =>
             cleanJson.Contains(pattern, StringComparison.OrdinalIgnoreCase));
     }
 
@@ -327,7 +334,7 @@ private static bool IsValidMessageType(string messageType)
         return messageType.All(c => char.IsLetterOrDigit(c) || c == '-' || c == '_' || c == '.');
     }
 
-    private static IframeMessage CreateInvalidMessage(string origin, string messageJson, string error)
+    private static IframeMessage CreateInvalidMessage(string origin, string messageJson, string? error)
     {
         return new IframeMessage
         {