fix: allow <style> and essential attributes in sanitizer

[retrogtx]

before:

after:

Summary by CodeRabbit

• New Features

  • Improved support for rendering styled email content by allowing additional HTML tags and attributes, including broader support for inline styles and common formatting attributes.

• Bug Fixes

  • Enhanced email display compatibility by permitting more attributes and styles, reducing the likelihood of missing or incorrectly formatted elements in emails.

[coderabbitai]

"""

Walkthrough

The sanitization configuration for processing email HTML was updated to allow more tags and attributes. The 'style' tag is now permitted, and a detailed whitelist of allowed attributes and styles was introduced for various tags. No changes were made to function signatures or exported entities.

Changes

File(s)	Change Summary
apps/server/src/lib/email-processor.ts	Expanded allowed HTML tags and attributes in the email HTML sanitizer, permitting 'style' tags and various attributes/styles with detailed CSS property whitelisting.

Possibly related PRs

• fixes to email rendering #1646: Modifies the sanitization configuration in processEmailHtml, expanding allowed tags and attributes similar to this PR.

Poem

In the warren of code, a change hops through,
Now emails sparkle with styles anew.
Tags and attributes, carefully picked,
For rabbits and humans, HTML is slicked.
With colors and classes, our messages gleam,
Sanitized safely, like a bunny’s dream! 🐇✨
"""

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f86a49 and 68e398b.

📒 Files selected for processing (1)

• apps/server/src/lib/email-processor.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/server/src/lib/email-processor.ts

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[greptile-apps]

PR Summary

Modified email HTML sanitization to improve email rendering compatibility while maintaining security measures in apps/server/src/lib/email-processor.ts.

• Added support for <style> tags and essential HTML attributes to fix broken email rendering
• Configured granular attribute allowlisting for specific HTML elements to maintain security
• Enabled CSS style validation through regex pattern matching
• Images and links remain secured through existing sanitization controls

_{1 file reviewed, 1 comment
Edit PR Review Bot Settings | Greptile}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38bcc6e and c1614cf.

📒 Files selected for processing (1)

• apps/server/src/lib/email-processor.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

apps/server/src/lib/email-processor.ts (1)

Learnt from: retrogtx
PR: Mail-0/Zero#1468
File: apps/server/src/trpc/routes/mail.ts:386-391
Timestamp: 2025-06-27T04:59:29.731Z
Learning: In apps/server/src/trpc/routes/mail.ts, the attachment processing logic conditionally handles mixed attachment types - it preserves existing File-like objects with arrayBuffer methods while only converting serialized attachments that need processing through toAttachmentFiles.

🔇 Additional comments (3)

apps/server/src/lib/email-processor.ts (3)

17-17: Consider the security implications of allowing <style> tags.

While allowing <style> tags may be necessary for proper email rendering, it introduces potential security risks including CSS injection attacks and data exfiltration through CSS. Consider implementing additional CSS content validation if not already present.

---

19-34: Good security practice using attribute whitelist.

The change from disallowing all attributes to using a specific whitelist is a good security practice. The selected attributes are commonly needed for email HTML rendering and are generally safe.

---

48-48: Minor formatting improvement.

Good addition of trailing comma for consistency.