fix: harden ai review html and iframe messaging

[vahapogut]

Fixes #3376

Summary

• Sanitize AI review markdown HTML with DOMPurify before rendering it via dangerouslySetInnerHTML.
• Use the latest loaded AI review text when rendering the review body.
• Restrict iframe postMessage handling to the expected iframe contentWindow and derived iframe origin, and send responses to that origin instead of *.
• Add tests for markdown fallback safety and iframe message source/origin guards.

Verification

• bun test tests\ai-review-markdown-sanitization.test.ts tests\runframe-iframe-message-security.test.ts
• bun x tsc --noEmit
• bun x biome format lib\components\AiReviewDialog\ViewAiReviewView.tsx lib\components\AiReviewDialog\render-ai-review-markdown.ts lib\components\RunFrameWithIframe\RunFrameWithIframe.tsx tests\ai-review-markdown-sanitization.test.ts tests\runframe-iframe-message-security.test.ts package.json bun.lock
• bun run build:lib
• git diff --check

Note: I also attempted full bun test; Bun 1.3.14 crashed with an internal panic while running the existing circuitwebworker2 test after the new security tests had passed.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
runframe	Ready	Preview, Comment	Jun 22, 2026 1:49pm

[github-actions]

This PR has been automatically marked as stale because it has had no recent activity. It will be closed if no further activity occurs.