@bobfrankston/rmfmail 1.0.677 → 1.0.678

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/bin/build-spellcheck-dict.js +25 -0
  2. package/client/app.bundle.js +11 -18
  3. package/client/app.bundle.js.map +2 -2
  4. package/client/app.js +34 -22
  5. package/client/app.js.map +1 -1
  6. package/client/app.ts +34 -24
  7. package/client/compose/compose.bundle.js +1254 -4
  8. package/client/compose/compose.bundle.js.map +4 -4
  9. package/client/compose/compose.css +28 -2
  10. package/client/compose/compose.js +23 -1
  11. package/client/compose/compose.js.map +1 -1
  12. package/client/compose/compose.ts +21 -1
  13. package/client/compose/spellcheck.js +296 -0
  14. package/client/compose/spellcheck.js.map +1 -0
  15. package/client/compose/spellcheck.ts +267 -0
  16. package/client/lib/dict/en.aff +205 -0
  17. package/client/lib/dict/en.dic +49569 -0
  18. package/client/lib/rmf-tiny.js +3 -2
  19. package/package.json +8 -2
package/client/app.ts CHANGED
@@ -1051,31 +1051,41 @@ function addComposeResizeHandles(wrapper: HTMLElement, frame: HTMLIFrameElement)
1051
1051
  // 30-40px columns inside a phone-width compose pane and wrap text
1052
1052
  // character-by-character. Strip styles + flatten tables before quoting.
1053
1053
  function sanitizeQuotedBody(msg: any): string {
1054
- // `white-space:pre-wrap` preserves the original line breaks but lets long
1055
- // lines wrap to the compose width. `<pre>` would have suppressed wrapping
1056
- // entirely, producing a horizontal-scrolling quote inside the editor.
1057
- let body = msg.bodyHtml || `<div style="white-space:pre-wrap;font-family:inherit;margin:0">${msg.bodyText || ""}</div>`;
1058
- body = body.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
1059
- body = body.replace(/\s+style="[^"]*"/gi, "");
1060
- body = body.replace(/\s+class="[^"]*"/gi, "");
1061
- // Strip layout-table attrs only off non-<img> tags. Earlier this regex
1062
- // ate width/height on <img> too, which is what made App Store / Play
1063
- // Store buttons render huge in quoted replies (the source ad had
1064
- // explicit width="120" height="40" on each image). Q138.
1065
- body = body.replace(/<(?!img\b)([^>]*?)\s+(width|height|align|valign|bgcolor|cellpadding|cellspacing|border)="[^"]*"([^>]*)>/gi,
1066
- (_m: string, before: string, _attr: string, after: string) => `<${before}${after}>`);
1067
- // Loop until no more matches a single tag with multiple stripped
1068
- // attrs needs more than one pass since the regex only handles one
1069
- // attribute per match.
1070
- let prev = "";
1071
- while (prev !== body) {
1072
- prev = body;
1073
- body = body.replace(/<(?!img\b)([^>]*?)\s+(width|height|align|valign|bgcolor|cellpadding|cellspacing|border)="[^"]*"([^>]*)>/gi,
1074
- (_m: string, before: string, _attr: string, after: string) => `<${before}${after}>`);
1054
+ // Two-mode quote: plain-text gets a pre-wrap wrapper so line breaks
1055
+ // render as breaks; HTML is preserved verbatim modulo a minimal scrub
1056
+ // for tags that have no legitimate place inside a quoted reply.
1057
+ //
1058
+ // We do NOT strip inline styles, classes, or table attributes any
1059
+ // more that earlier aggressive strip destroyed 95% of the original
1060
+ // sender's formatting (CSS in email is almost entirely inline; see
1061
+ // discussion 2026-05-11 about how every mail client preserves the
1062
+ // source HTML). Wide content is now clamped via CSS (.reply *
1063
+ // { max-width: 100% } in compose.css) instead of by rewriting the
1064
+ // DOM. Tables stay tables, paragraphs stay paragraphs, font sizes
1065
+ // and colors survive.
1066
+ //
1067
+ // Script-class tags (<script>, <style>, <link>, <base>, on*= attrs,
1068
+ // javascript: URLs) are belt-and-braces sanitizeHtml in mailx-core
1069
+ // already strips them at body-store time, so msg.bodyHtml shouldn't
1070
+ // contain them. Stripping again here is cheap insurance against a
1071
+ // future provider/path that didn't go through that pipeline.
1072
+ const isPlainText = !msg.bodyHtml;
1073
+ if (isPlainText) {
1074
+ const escaped = String(msg.bodyText || "")
1075
+ .replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
1076
+ return `<div style="white-space:pre-wrap;font-family:inherit;margin:0">${escaped}</div>`;
1075
1077
  }
1076
- body = body.replace(/<table[^>]*>/gi, "<div>").replace(/<\/table>/gi, "</div>");
1077
- body = body.replace(/<t[rdh][^>]*>/gi, "").replace(/<\/t[rdh]>/gi, " ");
1078
- body = body.replace(/<thead[^>]*>|<\/thead>|<tbody[^>]*>|<\/tbody>/gi, "");
1078
+ let body: string = msg.bodyHtml;
1079
+ // Minimal defense-in-depth strip. <style> blocks would leak global
1080
+ // CSS into the compose document; <link> / <base> would fetch remote
1081
+ // resources; <script> would be inert in contenteditable but the tag
1082
+ // would persist into the sent message which is rude.
1083
+ body = body.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
1084
+ body = body.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
1085
+ body = body.replace(/<link[^>]*>/gi, "");
1086
+ body = body.replace(/<base[^>]*>/gi, "");
1087
+ body = body.replace(/\s+on\w+="[^"]*"/gi, "");
1088
+ body = body.replace(/\s+on\w+='[^']*'/gi, "");
1079
1089
  return body;
1080
1090
  }
1081
1091