Embed generator missing sandbox="allow-same-origin" causing Custom scripts to not execute

[JorianWoltjer]

When embedding a pipeline with a Custom step, the default sandbox attribute causes the script to fail.

Take the following example that has a single step of custom JavaScript:

return input.replace("a", "b")

https://yeswehack.github.io/Dom-Explorer/dom-explorer#eyJpbnB1dCI6ImEiLCJwaXBlbGluZXMiOlt7ImlkIjoiYzMwYWJ0MmkiLCJuYW1lIjoiRG9tIFRyZWUiLCJwaXBlcyI6W3sibmFtZSI6IkN1c3RvbSIsImlkIjoiY25vdG5va3EiLCJoaWRlIjpmYWxzZSwic2tpcCI6ZmFsc2UsIm9wdHMiOnsiY29kZSI6InJldHVybiBpbnB1dC5yZXBsYWNlKFwiYVwiLCBcImJcIikifX1dfV19

When clicking on the Embed tab and copying the <iframe> code, this is the result:

<iframe sandbox="allow-scripts allow-modals allow-popups" src="https://yeswehack.github.io/Dom-Explorer/dom-explorer/frame?input=editable&amp;titleBar=readonly&amp;readonly=true&amp;pipe[titleBar]=true&amp;pipe[settings]=true&amp;pipe[render]=true&amp;pipe[skip]=true#eyJpbnB1dCI6ImEiLCJwaXBlbGluZXMiOlt7ImlkIjoiYzMwYWJ0MmkiLCJuYW1lIjoiRG9tIFRyZWUiLCJwaXBlcyI6W3sibmFtZSI6IkN1c3RvbSIsImlkIjoiY25vdG5va3EiLCJoaWRlIjpmYWxzZSwic2tpcCI6ZmFsc2UsIm9wdHMiOnsiY29kZSI6InJldHVybiBpbnB1dC5yZXBsYWNlKFwiYVwiLCBcImJcIikifX1dfV19"></iframe>

When this is displayed on a page, the script won't execute, leaving an empty string:

https://r.jtw.sh/poc.html?gist=ec667550d4c1d152f556c2c7e2ee6d64

When the allow-same-origin attribute is added to the sandbox, it does work:

<iframe width="100%" height="100%" sandbox="allow-same-origin allow-scripts allow-modals allow-popups" ...></iframe>

I think either this attribute should always be added to the sandbox, or Dom-Explorer should detect when the Custom step is used and enable it only then.