Merge pull request #1804 from mercihabam/enh-ext-resources-handler

feat(frontend/backend): improve the external resources alert UI, and make it possible to block resources from a sender

Author: kroky

modules/core/functions.php

@@ -632,15 +632,25 @@ function privacy_setting_callback($val, $key, $mod) {
     $key .= '_setting';
     $user_setting = $mod->user_config->get($key);
     $update = $mod->request->post['update'];
+    $pop = $mod->request->post['pop'];
 
     if ($update) {
-        $val = implode($setting['separator'], array_filter(array_merge(explode($setting['separator'], $user_setting), [$val])));
-        $mod->user_config->set($key, $val);
+        if ($pop) {
+            $new_value = implode($setting['separator'], array_filter(explode($setting['separator'], $user_setting), function($item) use ($val) {
+                return $item != $val;
+            }));
+        } else {
+            $new_value = implode($setting['separator'], array_filter(array_merge(explode($setting['separator'], $user_setting), [$val])));
+        }
+        
+        $mod->user_config->set($key, $new_value);
 
         $user_data = $mod->session->get('user_data', array());
-        $user_data[$key] = $val;
+        $user_data[$key] = $new_value;
         $mod->session->set('user_data', $user_data);
         $mod->session->record_unsaved('Privacy settings updated');
+
+        return $new_value;
     }
     return $val;
 }

modules/core/js_modules/actions/privacy_controls.js

@@ -12,4 +12,37 @@ async function addSenderToImagesWhitelist(email) {
             reject();
         });
     });
-}
+}
+
+async function addSenderToImagesBlackList(email) {
+    return new Promise((resolve, reject) => {
+        Hm_Ajax.request([
+            { name: "hm_ajax_hook", value: "ajax_privacy_settings" },
+            { name: "images_blacklist", value: email },
+            { name: "save_settings", value: true },
+            { name: "update", value: true }
+        ], (response) => {
+            resolve(response);
+        }, [], false, undefined, () => {
+            Hm_Notices.show('An error occurred while adding the sender to the blacklist', 'danger');
+            reject();
+        });
+    });
+}
+
+async function removeSenderFromImagesBlackList(email) {
+    return new Promise((resolve, reject) => {
+        Hm_Ajax.request([
+            { name: "hm_ajax_hook", value: "ajax_privacy_settings" },
+            { name: "images_blacklist", value: email },
+            { name: "save_settings", value: true },
+            { name: "update", value: true },
+            { name: "pop", value: true }
+        ], (response) => {
+            resolve(response);
+        }, [], false, undefined, () => {
+            Hm_Notices.show('An error occurred while removing the sender from the blacklist', 'danger');
+            reject();
+        });
+    });
+}

modules/core/js_modules/utils/externalResources.js

@@ -0,0 +1,201 @@
+/**
+ * Allow external resources for the provided element.
+ *
+ * @param {HTMLElement} element - The element containing the allow button.
+ * @param {string} messagePart - The message part associated with the resource.
+ * * @param {Boolean} inline - true if the message is displayed in inline mode, false otherwise.
+ * @returns {void}
+ */
+function handleAllowResource(element, messagePart, inline = false) {
+    element.querySelector('a').addEventListener('click', function (e) {
+        e.preventDefault();
+        $('.msg_text_inner').remove();
+        const externalSources = $(this).data('src').split(',');
+        externalSources?.forEach((source) => Hm_Utils.save_to_local_storage(source, 1));
+        if (inline) {
+            return inline_imap_msg(window.inline_msg_details, window.inline_msg_uid);
+        }
+        return get_message_content(getParam('part'), getMessageUidParam(), getListPathParam(), getParam('list_parent'), false, false, false);
+    });
+}
+
+/**
+ * Create and insert in the DOM an element containing a message and a button to allow the resource.
+ *
+ * @param {HTMLElement} element - The element having the blocked resource.
+ * @param {Boolean} inline - true if the message is displayed in inline mode, false otherwise.
+ * @returns {void}
+ */
+function handleInvisibleResource(element, inline = false) {
+    const dataSrc = element.dataset.src;
+
+    const allowResource = document.createElement('div');
+    allowResource.classList.add('alert', 'alert-warning', 'p-1');
+
+    const source = dataSrc.substring(0, 40) + (dataSrc.length > 40 ? '...' : '');
+    allowResource.innerHTML = `Source blocked: ${element.alt ? element.alt : source}
+    <a href="#" data-src="${dataSrc}" class="btn btn-light btn-sm">
+    Allow</a></div>
+    `;
+
+    document.querySelector('.external_notices').insertAdjacentElement('beforeend', allowResource);
+    handleAllowResource(allowResource, element.dataset.messagePart, inline);
+}
+
+const handleExternalResources = (inline) => {
+    const messageContainer = document.querySelector('.msg_text_inner');
+    const externalNoticesAccordion = document.createElement('div');
+    externalNoticesAccordion.classList.add('accordion');
+    externalNoticesAccordion.id = 'externalNoticesAccordion';
+    messageContainer.insertAdjacentElement('afterbegin', externalNoticesAccordion);
+    externalNoticesAccordion.innerHTML = '<div class="external_notices accordion-collapse collapse"></div>';
+
+    const senderEmail = document.querySelector('#contact_info')?.textContent.match(EMAIL_REGEX)[0];
+
+    if (handleBlockedStatus(inline, senderEmail)) {
+        return;
+    }
+
+    const sender = senderEmail + '_external_resources_allowed';
+    const elements = messageContainer.querySelectorAll('[data-src]');
+    const blockedResources = [];
+
+    elements.forEach(function (element) {
+
+        const dataSrc = element.dataset.src;
+        const senderAllowed = Hm_Utils.get_from_local_storage(sender);
+        const allowed = Hm_Utils.get_from_local_storage(dataSrc);
+
+        switch (Number(allowed) || Number(senderAllowed)) {
+            case 1:
+                element.src = dataSrc;
+                break;
+            default:
+                if ((allowed || senderAllowed) === null) {
+                    Hm_Utils.save_to_local_storage(dataSrc, 0);
+                }
+                handleInvisibleResource(element, inline);
+                blockedResources.push(dataSrc);
+                break;
+        }
+    });
+
+    const noticesElement = document.createElement('div');
+    noticesElement.classList.add('notices');
+
+    if (blockedResources.length) {
+        const allowAll = document.createElement('div');
+        allowAll.classList.add('allow_image_link', 'all', 'fw-bold');
+        allowAll.textContent = 'For security reasons, external resources have been blocked.';
+        if (blockedResources.length > 1) {
+            const allowAllLink = document.createElement('a');
+            allowAllLink.classList.add('btn', 'btn-light', 'btn-sm');
+            allowAllLink.href = '#';
+            allowAllLink.dataset.src = blockedResources.join(',');
+            allowAllLink.textContent = 'Allow all';
+
+            const expandLink = document.createElement('a');
+            expandLink.classList.add('btn', 'btn-sm', 'd-flex', 'align-items-center', 'gap-2');
+            expandLink.href = '#';
+            expandLink.setAttribute('data-bs-toggle', 'collapse');
+            expandLink.setAttribute('data-bs-target', '.external_notices');
+            expandLink.innerHTML = 'Show details <i class="bi bi-chevron-down"></i>';
+            document.querySelector('.external_notices').addEventListener('show.bs.collapse', function () {
+                expandLink.innerHTML = 'Hide details<i class="bi bi-chevron-up"></i>';
+            });
+            document.querySelector('.external_notices').addEventListener('hide.bs.collapse', function () {
+                expandLink.innerHTML = 'Show details<i class="bi bi-chevron-down"></i>';
+            });
+
+            const linksWrapper = $('<div class="d-inline-flex"></div>');
+            linksWrapper.append(allowAllLink);
+            linksWrapper.append(expandLink);
+            allowAll.appendChild(linksWrapper[0]);
+
+            handleAllowResource(allowAll, getParam('part'), inline);
+        }
+        noticesElement.insertAdjacentElement('afterbegin', allowAll);
+
+        const definitiveActions = $('<div class="definitive_actions ms-auto">From this sender always:</div>');
+
+        const button = document.createElement('a');
+        button.setAttribute('href', '#');
+        button.classList.add('always_allow_image', 'btn', 'btn-light', 'btn-sm');
+        button.innerHTML = '<i class="bi bi-check"></i> Allow';
+        definitiveActions.append(button);
+        const popover = sessionAvailableOnlyActionInfo(button)
+
+        button.addEventListener('click', function (e) {
+            e.preventDefault();
+            addSenderToImagesWhitelist(senderEmail).then(refreshMessageContent.bind(null, inline)).finally(() => {
+                popover.dispose();
+            })
+        });
+
+        const alwaysBlockButton = $('<a href="#" class="btn btn-light btn-sm ms-2"><i class="bi bi-shield-lock"></i> Block</a>');
+        const blockPopover = sessionAvailableOnlyActionInfo(alwaysBlockButton[0]);
+        definitiveActions.append(alwaysBlockButton[0]);
+
+        alwaysBlockButton.on('click', function (e) {
+            e.preventDefault();
+            addSenderToImagesBlackList(senderEmail).then(refreshMessageContent.bind(null, inline)).finally(() => {
+                blockPopover.dispose();
+            })
+        });
+
+        noticesElement.appendChild(definitiveActions[0]);
+    }
+
+    document.querySelector('.external_notices').insertAdjacentElement('beforebegin', noticesElement);
+};
+
+function handleBlockedStatus(inline, senderEmail) {
+    if ($('[data-external-resources-blocked="1"]').length) {
+        const infoElement = $('<div class="fw-bold">External resources from this sender are blocked.</div>');
+        const button = $('<a href="#" class="btn btn-light btn-sm ms-2"><i class="bi bi-unlock"></i> Reset permissions</a>');
+
+        $(infoElement).append(button);
+        $('#externalNoticesAccordion').append(infoElement);
+
+        const popover = sessionAvailableOnlyActionInfo(button[0]);
+
+        button.on('click', function (e) {
+            e.preventDefault();
+            removeSenderFromImagesBlackList(senderEmail).then(refreshMessageContent.bind(null, inline)).finally(() => {
+                popover.dispose()
+            });
+        });
+
+        return true;
+    }
+
+    return false;
+}
+
+function refreshMessageContent(inline) {
+    $('.msg_text_inner').remove();
+    if (inline) {
+        inline_imap_msg(window.inline_msg_details, window.inline_msg_uid);
+    } else {
+        get_message_content(getParam('part'), getMessageUidParam(), getListPathParam(), getParam('list_parent'), false, false, false)
+    }
+}
+
+const observeMessageTextMutationAndHandleExternalResources = (inline) => {
+    const message = document.querySelector('.msg_text');
+    if (message) {
+        new MutationObserver(function (mutations) {
+            mutations.forEach(function (mutation) {
+                if (mutation.addedNodes.length > 0) {
+                    mutation.addedNodes.forEach(function (node) {
+                        if (node.classList.contains('msg_text_inner') && !message.querySelector('.external_notices')) {
+                            handleExternalResources(inline);
+                        }
+                    });
+                }
+            });
+        }).observe(message, {
+            childList: true
+        });
+    }
+};

modules/core/message_functions.php

@@ -35,6 +35,7 @@ function format_msg_html($str, $images=false) {
         foreach ($html_tags as $tag) {
             $def->addAttribute($tag, 'data-src', 'Text');
         }
+        $def->addAttribute('div', 'data-external-resources-blocked', 'Text');
     }
 
     try {

modules/core/output_modules.php

@@ -2492,7 +2492,13 @@ class Hm_Output_privacy_settings extends Hm_Output_Module {
             'label' => 'External images whitelist',
             'description' => 'Cypht automatically prevents untrusted external images from loading in messages. Add senders from whom you want to allow images to load.',
             'separator' => ','
-        ]
+        ],
+        'images_blacklist' => [
+            'type' => 'text',
+            'label' => 'External images blacklist',
+            'description' => 'Add senders from whom you never want to allow external images to load.',
+            'separator' => ','
+        ],
     ];
 
     protected function output()

modules/core/setup.php

@@ -360,5 +360,7 @@
         'srv_setup_stepper_imap_hide_from_c_page' => FILTER_VALIDATE_BOOLEAN,
         'images_whitelist' => FILTER_UNSAFE_RAW,
         'update' => FILTER_VALIDATE_BOOLEAN,
+        'images_blacklist' => FILTER_UNSAFE_RAW,
+        'pop' => FILTER_VALIDATE_BOOLEAN,
     )
 );

modules/core/site.css

@@ -1689,4 +1689,7 @@ pre.msg_source {
   .mobile .msg_text .small_header .col-md-2 { width: 20%; }
   .mobile .msg_text .small_header > div + div { width: 80%; }
   .mobile .msg_text .small_header > div.d-none + div { width: 100%; }
+  .notices .definitive_actions {
+    margin-left: 0 !important;
+  }
 }