"Can I use the sandboxRoot/documentRoot attributes with the mx:html control?"
Yes, mx:HTML is just a Flex wrapper on the HTMLLoader object. Have you verified that test.html is actually in the "app-storage:/template/" folder when your app loads?
The iframe sandbox bridge feature was designed to map application content into a different security sandbox, not to map arbitrary non-app content into a different domain. So it's possible that this technique won't work. Try putting the template folder and the files into the application directory and change the documentRoot attribute to "app:/template/". If that works, then the technique probably isn't supported. If it doesn't work, then I'd suspect a problem with your application code.
Yeah the files are in the template folder. I have also tried moving them to a app:/template folder with no joy. I can get the test.html file to load by setting the src="app-storage:/template/test.html" but other content is not mapped as expected, for exampe the <img src="http://www.xyz.com/air/image0.jpg"/> is not loaded from the app-storage:/template folder.
The iframe sandbox bridge feature was designed to map application content into a different security sandbox, not to map arbitrary non-app content into a different domain.
I read that differently from the documentation, http://livedocs.adobe.com/flex/3/html/help.html?content=AboutHTMLEnvironment_5.html, the following text seem to suggest that all content urls are mapped.
When resolving URLs, either in the frame src attribute, or in content loaded into the frame, the part of the URL matching the value specified in sandboxRoot is replaced with the value specified in documentRoot.