The Sighting inspector — GET <dashboard_path>/sightings/:public_id.
Renders the "SIGHTING REPORT" for one email: a status/engagement summary, and five tabs — Preview, Text, Headers, Footprints (the event timeline), and Raw.
Preview tab sandboxing
html_body is arbitrary, third-party HTML the host application sent (or
that arrived via SES capture) — it is untrusted content, not markup this
app authored. It is rendered via an <iframe srcdoc="..."> with
sandbox="allow-same-origin" and no allow-scripts in the sandbox
token list, and it is never passed through raw/1/Phoenix.HTML.raw/1
into the surrounding page — only ever into the iframe's srcdoc
attribute, which HEEx escapes as a normal attribute value (so embedded
" / < in the HTML can't break out of the attribute or inject into the
parent document). The combination means: even if html_body contains
<script>, the browser's sandbox refuses to execute it (no
allow-scripts token), and it can never execute in the parent frame's
origin/context regardless (that's what an iframe boundary is for) — the
worst case is inert markup rendered inside the sandboxed frame.
Back-navigation preserves filters
The "back to the trail" link reads a ?back= query param (the page path
suffix and filter query string TrailLog was showing when the user clicked
into this sighting — see TrailLog's sighting_path/2) and round-trips
it, rather than hard-coding a plain link back to dashboard_path, so
returning from the inspector lands on the same page (Trail Log, Sightings,
Bounces, or Complaints) with its filters intact.