@bobfrankston/rmfmail 1.0.679 → 1.0.680

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/client/app.bundle.js.map +2 -2
  2. package/client/app.js +6 -0
  3. package/client/app.js.map +1 -1
  4. package/client/app.ts +6 -0
  5. package/client/compose/compose.bundle.js +21 -0
  6. package/client/compose/compose.bundle.js.map +2 -2
  7. package/client/lib/rmf-tiny.js +21 -0
  8. package/package.json +1 -1
package/client/app.js CHANGED
@@ -1104,6 +1104,12 @@ function sanitizeQuotedBody(msg) {
1104
1104
  // future provider/path that didn't go through that pipeline.
1105
1105
  const isPlainText = !msg.bodyHtml;
1106
1106
  if (isPlainText) {
1107
+ // Full HTML escape. Leaving `>` unescaped was tempting for source
1108
+ // readability but breaks HTML in edge cases — TinyMCE's normalize-
1109
+ // on-paste re-interprets the input, and stray `>` near sequences
1110
+ // like `<!--` / `-->` / `<!` in plain-text bodies can be misread
1111
+ // by the parser. Per Bob 2026-05-12: "not just ugly, it breaks
1112
+ // the HTML." Trivial source-clutter is the lesser evil.
1107
1113
  const escaped = String(msg.bodyText || "")
1108
1114
  .replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
1109
1115
  return `<div style="white-space:pre-wrap;font-family:inherit;margin:0">${escaped}</div>`;