Fix: render HTML instead of raw code on print

[suraj719]

Description

Fixes the issue where clicking the "Print" button in email displays raw HTML instead of the rendered email output.

Fixes the issue #1850

---

Type of Change

Please delete options that are not relevant.

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature with breaking changes)
• 📝 Documentation update
• 🎨 UI/UX improvement
• 🔒 Security enhancement
• ⚡ Performance improvement

Areas Affected

Please check all that apply:

• Email Integration (Gmail, IMAP, etc.)
• User Interface/Experience
• Authentication/Authorization
• Data Storage/Management
• API Endpoints
• Documentation
• Testing Infrastructure
• Development Workflow
• Deployment/Infrastructure

Testing Done

Describe the tests you've done:

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• Cross-browser testing (if UI changes)
• Mobile responsiveness verified (if UI changes)

Security Considerations

For changes involving data or authentication:

• No sensitive data is exposed
• Authentication checks are in place
• Input validation is implemented
• Rate limiting is considered (if applicable)

Checklist

• I have read the CONTRIBUTING document
• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code, particularly in complex areas
• I have updated the documentation
• My changes generate no new warnings
• I have added tests that prove my fix/feature works
• All tests pass locally
• Any dependent changes are merged and published

Additional Notes

The existing cleanHtml utility was reused to sanitize and render the HTML properly before printing.

Screenshots/Recordings

---

By submitting this pull request, I confirm that my contribution is made under the terms of the project's license.

---

Summary by cubic

Fixed the print button so it now shows the rendered email content instead of raw HTML code.

• Bug Fixes
• Replaced HTML escaping with HTML sanitization to display formatted email content when printing.

Summary by CodeRabbit

• Refactor
  • Improved email content rendering by updating the HTML sanitization method for better consistency and maintainability. No visible changes to email display or functionality.

[jazzberry-ai]

Bug Report

No bugs found. Definition of cleanHtml is missing, making it impossible to assess the security or functional impact of the patch.

_{Comments? Email us. This is the last day of your free trial. Subscribe at jazzberry.ai.}

[coderabbitai]

Walkthrough

This change removes a locally defined escapeHtml function from the MailDisplay component and replaces its usage with an imported cleanHtml function from @/lib/email-utils for rendering email content. No other logic or exported entities are modified.

Changes

Cohort / File(s)	Change Summary
MailDisplay HTML Escaping Refactor apps/mail/components/mail/mail-display.tsx	Removed local escapeHtml function; replaced its usage with imported cleanHtml for email body rendering.

Sequence Diagram(s)

sequenceDiagram
    participant MailDisplay
    participant email-utils

    MailDisplay->>email-utils: cleanHtml(decodedBody)
    email-utils-->>MailDisplay: Returns sanitized HTML
    MailDisplay->>User: Renders cleaned email content

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Print button shows raw HTML instead of rendered HTML #1850: This PR changes the HTML escaping method for email content, directly addressing issues with HTML rendering and escaping.

Possibly related PRs

• Fix/email printing #1529: Continues the work of replacing the local escape function with the imported cleanHtml.
• new email renderer #1584: Related to transitioning to a new secure email renderer and HTML sanitization.

Suggested labels

design

Suggested reviewers

• MrgSub

Poem

🚀 Code refactored, functions are lean,
Local escapes out, cleanHtml on the scene.
Emails now safer, content rendered right—
Simpler, cleaner, a beautiful sight.
Onward to Mars, with code that is tight!

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potential style injection in tag	Medium	Include a <style> tag within a tag with potentially malicious CSS.	DOMPurify might not properly sanitize CSS within the tag, potentially leading to a style injection vulnerability. Example: <math><malignmark style="animation:move infinite 2s;animation-name:move"><style>@keyframes move {from {left:0} to {left:100px}}</style>

_{Comments? Email us. This is the last day of your free trial. Subscribe at jazzberry.ai.}

[cubic-dev-ai]

cubic analysis

No issues found across 1 file. Review in cubic

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 180133f and 597ae19.

📒 Files selected for processing (1)

• apps/mail/components/mail/mail-display.tsx (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (AGENT.md)

**/*.{js,jsx,ts,tsx}: Use 2-space indentation
Use single quotes
Limit lines to 100 characters in width
Semicolons are required

Files:

• apps/mail/components/mail/mail-display.tsx

**/*.{js,jsx,ts,tsx,css}

📄 CodeRabbit Inference Engine (AGENT.md)

Use Prettier with sort-imports and Tailwind plugins

Files:

• apps/mail/components/mail/mail-display.tsx

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (AGENT.md)

Enable TypeScript strict mode

Files:

• apps/mail/components/mail/mail-display.tsx

🧠 Learnings (2)

📓 Common learnings

Learnt from: snehendu098
PR: Mail-0/Zero#1323
File: apps/mail/lib/themes/theme-utils.ts:318-318
Timestamp: 2025-06-24T06:22:58.753Z
Learning: In the Mail-0/Zero theme system (apps/mail/lib/themes/theme-utils.ts), when color themes are being applied, all color values come in HSL format, so there's no need for additional format validation when converting colors with hslToHex().

apps/mail/components/mail/mail-display.tsx (3)

Learnt from: snehendu098
PR: #1323
File: apps/mail/lib/themes/theme-utils.ts:318-318
Timestamp: 2025-06-24T06:22:58.753Z
Learning: In the Mail-0/Zero theme system (apps/mail/lib/themes/theme-utils.ts), when color themes are being applied, all color values come in HSL format, so there's no need for additional format validation when converting colors with hslToHex().

Learnt from: retrogtx
PR: #1328
File: apps/mail/lib/hotkeys/mail-list-hotkeys.tsx:202-209
Timestamp: 2025-06-18T17:26:50.918Z
Learning: In apps/mail/lib/hotkeys/mail-list-hotkeys.tsx, the switchCategoryByIndex function using hardcoded indices for category hotkeys does not break when users reorder categories, contrary to the theoretical index-shifting issue. The actual implementation has constraints or mechanisms that prevent hotkey targeting issues.

Learnt from: danteissaias
PR: #618
File: apps/mail/components/mail/mail-iframe.tsx:12-12
Timestamp: 2025-04-07T20:46:11.697Z
Learning: In the Mail-0/Zero application, sender emails are guaranteed to be non-empty when passed to components that handle them, making additional empty string validation unnecessary.

🧬 Code Graph Analysis (1)

apps/mail/components/mail/mail-display.tsx (1)

apps/mail/lib/email-utils.ts (1)

• cleanHtml (213-222)

🔇 Additional comments (1)

apps/mail/components/mail/mail-display.tsx (1)

58-58: Good call—one shared sanitizer beats many bespoke hacks

Pulling in cleanHtml aligns the module with our central XSS-defense strategy and deletes dead weight (escapeHtml). Nice move; less code, more safety.

[jazzberry-ai]

Bug Report

Name: XSS Vulnerability due to DOMPurify fallback
Severity: Medium
Example test case: If DOMPurify fails or is not available, the email content is not sanitized, potentially leading to XSS vulnerabilities.
Description: The cleanHtml function in apps/mail/lib/email-utils.ts uses DOMPurify to sanitize HTML content. However, if DOMPurify fails or is not available, the function falls back to rendering the string '

No email content available

'. While this prevents a crash, it means that unsanitized HTML from the email body will be rendered. Since the user could insert arbitrary HTML, this opens a vulnerability to XSS attacks. Since the email is replaced entirely, I am marking the severity as medium. The second commit removes the extra fallback, so if the cleanHtml function returns undefined or null, nothing will be rendered.

_{Comments? Email us. This is the last day of your free trial. Subscribe at jazzberry.ai.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 597ae19 and 56a5d20.

📒 Files selected for processing (1)

• apps/mail/components/mail/mail-display.tsx (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (AGENT.md)

**/*.{js,jsx,ts,tsx}: Use 2-space indentation
Use single quotes
Limit lines to 100 characters in width
Semicolons are required

Files:

• apps/mail/components/mail/mail-display.tsx

**/*.{js,jsx,ts,tsx,css}

📄 CodeRabbit Inference Engine (AGENT.md)

Use Prettier with sort-imports and Tailwind plugins

Files:

• apps/mail/components/mail/mail-display.tsx

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (AGENT.md)

Enable TypeScript strict mode

Files:

• apps/mail/components/mail/mail-display.tsx

🧠 Learnings (2)

📓 Common learnings

Learnt from: snehendu098
PR: Mail-0/Zero#1323
File: apps/mail/lib/themes/theme-utils.ts:318-318
Timestamp: 2025-06-24T06:22:58.753Z
Learning: In the Mail-0/Zero theme system (apps/mail/lib/themes/theme-utils.ts), when color themes are being applied, all color values come in HSL format, so there's no need for additional format validation when converting colors with hslToHex().

apps/mail/components/mail/mail-display.tsx (4)

Learnt from: snehendu098
PR: #1323
File: apps/mail/lib/themes/theme-utils.ts:318-318
Timestamp: 2025-06-24T06:22:58.753Z
Learning: In the Mail-0/Zero theme system (apps/mail/lib/themes/theme-utils.ts), when color themes are being applied, all color values come in HSL format, so there's no need for additional format validation when converting colors with hslToHex().

Learnt from: danteissaias
PR: #618
File: apps/mail/components/mail/mail-iframe.tsx:12-12
Timestamp: 2025-04-07T20:46:11.697Z
Learning: In the Mail-0/Zero application, sender emails are guaranteed to be non-empty when passed to components that handle them, making additional empty string validation unnecessary.

Learnt from: retrogtx
PR: #1328
File: apps/mail/lib/hotkeys/mail-list-hotkeys.tsx:202-209
Timestamp: 2025-06-18T17:26:50.918Z
Learning: In apps/mail/lib/hotkeys/mail-list-hotkeys.tsx, the switchCategoryByIndex function using hardcoded indices for category hotkeys does not break when users reorder categories, contrary to the theoretical index-shifting issue. The actual implementation has constraints or mechanisms that prevent hotkey targeting issues.

Learnt from: retrogtx
PR: #1468
File: apps/server/src/trpc/routes/mail.ts:386-391
Timestamp: 2025-06-27T04:59:29.731Z
Learning: In apps/server/src/trpc/routes/mail.ts, the attachment processing logic conditionally handles mixed attachment types - it preserves existing File-like objects with arrayBuffer methods while only converting serialized attachments that need processing through toAttachmentFiles.

🔇 Additional comments (1)

apps/mail/components/mail/mail-display.tsx (1)

56-60: Centralized HTML sanitization locked in, looks good 🚀
Ran a repo‐wide search—no lingering escapeHtml calls. Clean, consistent, and DRY. Onward to a leaner codebase (and Mars).

[jazzberry-ai]

Bug Report

Name: Potential XSS vulnerability due to outdated DOMPurify version and lack of configuration check
Severity: Medium
Example test case: Upgrade DOMPurify to the latest version and implement a configuration check to ensure it's used with recommended settings to prevent XSS bypasses.
Description: The application uses DOMPurify version 3.2.5 for sanitizing HTML content. While this version doesn't have any known critical vulnerabilities, it's essential to keep DOMPurify updated to the latest version to benefit from the newest security patches and improvements. Additionally, the code doesn't explicitly check the DOMPurify configuration. If DOMPurify is misconfigured (e.g., allowing unsafe tags or attributes), it could be bypassed, leading to an XSS vulnerability.

_{Comments? Email us.}

[suraj719]

Hi @MrgSub, could you please take a look at this PR when you get a chance? Let me know if any changes are needed. Thanks!

[Malix-Labs]

Lil bit of lore https://x.com/reactreaper/status/1952029007400354009