sanitize html with bluemonday

README.md

@@ -5,6 +5,5 @@ A temporary email service
 ## TODO
 
  - Do not store the raw mail data in the DB, maybe use block storage (the provider can be a disk provider at first)
- - Use `bluemonday` to sanitize the mail html before rendering
  - Cache subject parsed from email. Then when listing the email it is not necessary to parse all mails and retrieve them.
  - Cache in general?

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-chi/chi v1.5.5 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.26 // indirect
+	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
 )

go.sum

@@ -16,7 +16,11 @@ github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microcosm-cc/bluemonday v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
 github.com/microcosm-cc/bluemonday v1.0.26/go.mod h1:JyzOCs9gkyQyjs+6h10UEVSe02CGwkhd72Xdqh78TWs=
+github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
+github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=

pkg/web_server/mail.templ

@@ -2,10 +2,11 @@ package web_server
 
 import (
 	"github.com/russross/blackfriday/v2"
+    "github.com/microcosm-cc/bluemonday"
 	"github.com/GRFreire/nthmail/pkg/mail_utils"
 )
 
-templ mail_body_comp(rcpt_addr string, m mail_utils.Mail_obj) {
+templ mail_body_comp(rcpt_addr string, m mail_utils.Mail_obj, policy *bluemonday.Policy) {
 	<!DOCTYPE html>
 	<html lang="en">
 		<head>
@@ -32,16 +33,16 @@ templ mail_body_comp(rcpt_addr string, m mail_utils.Mail_obj) {
 				</div>
 			</div>
 			<main>
-				@mime_type(m.Body[m.PreferedBodyIndex])
+				@mime_type(m.Body[m.PreferedBodyIndex], policy)
 			</main>
 		</body>
 	</html>
 }
 
-templ mime_type(b mail_utils.Mail_body) {
+templ mime_type(b mail_utils.Mail_body, policy *bluemonday.Policy) {
 	switch b.MimeType {
 		case mail_utils.Html:
-			@body_html(b.Data)
+			@body_html(b.Data, policy)
 		case mail_utils.Markdown:
 			@body_markdown(b.Data)
 		case mail_utils.PlainText:
@@ -59,9 +60,9 @@ templ body_plain(s string) {
 	</div>
 }
 
-templ body_html(s string) {
+templ body_html(s string, policy *bluemonday.Policy) {
 	<div class="content-html">
-		@templ.Raw(s)
+		@templ.Raw(policy.Sanitize(s))
 	</div>
 }
 

pkg/web_server/main.go

@@ -14,12 +14,16 @@ import (
 	"github.com/GRFreire/nthmail/pkg/rig"
 	"github.com/go-chi/chi"
 	_ "github.com/mattn/go-sqlite3"
+	"github.com/microcosm-cc/bluemonday"
 )
 
 func Start(db *sql.DB) error {
 	server := &ServerResouces{}
 	server.db = db
 
+	server.policy = bluemonday.UGCPolicy()
+	server.policy.AllowAttrs("style").Globally()
+
 	domain, exists := os.LookupEnv("MAIL_SERVER_DOMAIN")
 	if !exists {
 		domain = "localhost"
@@ -51,6 +55,7 @@ func Start(db *sql.DB) error {
 
 type ServerResouces struct {
 	db     *sql.DB
+	policy *bluemonday.Policy
 	domain string
 }
 
@@ -213,6 +218,6 @@ func (sr ServerResouces) handleMail(res http.ResponseWriter, req *http.Request)
 
 	mail_obj = mail_utils.Set_format_index(mail_obj, format, f_pref)
 
-	body := mail_body_comp(rcpt_addr, mail_obj)
+	body := mail_body_comp(rcpt_addr, mail_obj, sr.policy)
 	body.Render(req.Context(), res)
 }