@bobfrankston/rmfmail 1.0.676 → 1.0.678

package/client/app.js

@@ -1084,29 +1084,41 @@ function addComposeResizeHandles(wrapper, frame) {
 // 30-40px columns inside a phone-width compose pane and wrap text
 // character-by-character. Strip styles + flatten tables before quoting.
 function sanitizeQuotedBody(msg) {
-    // `white-space:pre-wrap` preserves the original line breaks but lets long
-    // lines wrap to the compose width. `<pre>` would have suppressed wrapping
-    // entirely, producing a horizontal-scrolling quote inside the editor.
-    let body = msg.bodyHtml || `<div style="white-space:pre-wrap;font-family:inherit;margin:0">${msg.bodyText || ""}</div>`;
+    // Two-mode quote: plain-text gets a pre-wrap wrapper so line breaks
+    // render as breaks; HTML is preserved verbatim modulo a minimal scrub
+    // for tags that have no legitimate place inside a quoted reply.
+    //
+    // We do NOT strip inline styles, classes, or table attributes any
+    // more — that earlier aggressive strip destroyed 95% of the original
+    // sender's formatting (CSS in email is almost entirely inline; see
+    // discussion 2026-05-11 about how every mail client preserves the
+    // source HTML). Wide content is now clamped via CSS (.reply *
+    // { max-width: 100% } in compose.css) instead of by rewriting the
+    // DOM. Tables stay tables, paragraphs stay paragraphs, font sizes
+    // and colors survive.
+    //
+    // Script-class tags (<script>, <style>, <link>, <base>, on*= attrs,
+    // javascript: URLs) are belt-and-braces — sanitizeHtml in mailx-core
+    // already strips them at body-store time, so msg.bodyHtml shouldn't
+    // contain them. Stripping again here is cheap insurance against a
+    // future provider/path that didn't go through that pipeline.
+    const isPlainText = !msg.bodyHtml;
+    if (isPlainText) {
+        const escaped = String(msg.bodyText || "")
+            .replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+        return `<div style="white-space:pre-wrap;font-family:inherit;margin:0">${escaped}</div>`;
+    }
+    let body = msg.bodyHtml;
+    // Minimal defense-in-depth strip. <style> blocks would leak global
+    // CSS into the compose document; <link> / <base> would fetch remote
+    // resources; <script> would be inert in contenteditable but the tag
+    // would persist into the sent message which is rude.
+    body = body.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
     body = body.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
-    body = body.replace(/\s+style="[^"]*"/gi, "");
-    body = body.replace(/\s+class="[^"]*"/gi, "");
-    // Strip layout-table attrs only off non-<img> tags. Earlier this regex
-    // ate width/height on <img> too, which is what made App Store / Play
-    // Store buttons render huge in quoted replies (the source ad had
-    // explicit width="120" height="40" on each image). Q138.
-    body = body.replace(/<(?!img\b)([^>]*?)\s+(width|height|align|valign|bgcolor|cellpadding|cellspacing|border)="[^"]*"([^>]*)>/gi, (_m, before, _attr, after) => `<${before}${after}>`);
-    // Loop until no more matches — a single tag with multiple stripped
-    // attrs needs more than one pass since the regex only handles one
-    // attribute per match.
-    let prev = "";
-    while (prev !== body) {
-        prev = body;
-        body = body.replace(/<(?!img\b)([^>]*?)\s+(width|height|align|valign|bgcolor|cellpadding|cellspacing|border)="[^"]*"([^>]*)>/gi, (_m, before, _attr, after) => `<${before}${after}>`);
-    }
-    body = body.replace(/<table[^>]*>/gi, "<div>").replace(/<\/table>/gi, "</div>");
-    body = body.replace(/<t[rdh][^>]*>/gi, "").replace(/<\/t[rdh]>/gi, " ");
-    body = body.replace(/<thead[^>]*>|<\/thead>|<tbody[^>]*>|<\/tbody>/gi, "");
+    body = body.replace(/<link[^>]*>/gi, "");
+    body = body.replace(/<base[^>]*>/gi, "");
+    body = body.replace(/\s+on\w+="[^"]*"/gi, "");
+    body = body.replace(/\s+on\w+='[^']*'/gi, "");
     return body;
 }
 function quoteBody(msg) {