fixed mail preview was not sending CSP headers and clicking on mailto-urls redirected to home

mail/inc/class.mail_bo.inc.php

@@ -529,7 +529,7 @@ class mail_bo
 		$identities = $acc->identities();
 
 		$userEMailAdresses = array($acc['ident_email']=>$acc['ident_realname']);
-		
+
 		foreach($identities as $ik => $ident) {
 			//error_log(__METHOD__.' ('.__LINE__.') '.':'.$ik.'->'.array2string($ident));
 			$identity = emailadmin_account::read_identity($ik);
@@ -2043,7 +2043,7 @@ class mail_bo
 			if (self::$debugTimes) self::logRunTimes($starttime,null,'using static',__METHOD__.' ('.__LINE__.') ');
 			return $folders2return[$this->icServer->ImapServerId];
 		}
-			
+
 		if ($_subscribedOnly && $_getCounters===false)
 		{
 			if (is_null($folders2return)) $folders2return = egw_cache::getCache(egw_cache::INSTANCE,'email','folderObjects'.trim($GLOBALS['egw_info']['user']['account_id']),$callback=null,$callback_params=array(),$expiration=60*60*1);
@@ -4509,7 +4509,7 @@ class mail_bo
 
 		// CSS Security
 		// http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets
-		$css = preg_replace('/(javascript|expession|-moz-binding)/i','',$style);
+		$css = preg_replace('/(javascript|expression|-moz-binding)/i','',$style);
 		if (stripos($css,'script')!==false) translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included
 		// we need this, as styledefinitions are enclosed with curly brackets; and template stuff tries to replace everything between curly brackets that is having no horizontal whitespace
 		// as the comments as <!-- styledefinition --> in stylesheet are outdated, and ck-editor does not understand it, we remove it

mail/inc/class.mail_ui.inc.php

@@ -2696,7 +2696,7 @@ unset($query['actions']);
 	}
 
 
-	function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null,$fullHeader=true)
+	function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null)
 	{
 		// seems to be needed, as if we open a mail from notification popup that is
 		// located in a different folder, we experience: could not parse message
@@ -2738,8 +2738,8 @@ $this->partID = $partID;
 //_debug_array($bodyParts); die(__METHOD__.__LINE__);
 		// Compose the content of the frame
 		$frameHtml =
-			$this->get_email_header($this->mail_bo->getStyles($bodyParts),$fullHeader).
-			$this->showBody($this->getdisplayableBody($bodyParts), false,$fullHeader);
+			$this->get_email_header($this->mail_bo->getStyles($bodyParts)).
+			$this->showBody($this->getdisplayableBody($bodyParts), false);
 		//IE10 eats away linebreaks preceeded by a whitespace in PRE sections
 		$frameHtml = str_replace(" \r\n","\r\n",$frameHtml);
 		$this->mail_bo->htmlOptions = $bufferHtmlOptions;
@@ -2747,30 +2747,19 @@ $this->partID = $partID;
 		return $frameHtml;
 	}
 
-	static function get_email_header($additionalStyle='',$fullHeader=true)
+	static function get_email_header($additionalStyle='')
 	{
-		//error_log(__METHOD__.__LINE__.$additionalStyle);
-		$header = ($fullHeader?'
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html>
-	<head>
-		<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />':'').'
-		<style>
-			body, td, textarea {
-				font-family: Verdana, Arial, Helvetica,sans-serif;
-				font-size: 11px;
-			}
-		</style>'.$additionalStyle.'
-		<script type="text/javascript">
-			function GoToAnchor(aname)
-			{
-				window.location.hash=aname;
-			}
-		</script>'.($fullHeader?'
-	</head>
-	<body>
-':'');
-		return $header;
+		// egw_info[flags][css] already include <style> tags
+		$GLOBALS['egw_info']['flags']['css'] = preg_replace('|</?style[^>]*>|i', '', $additionalStyle);
+
+		// do NOT include any default CSS
+		egw_framework::includeCSS('mail', 'preview', true, true);
+
+		// load preview.js to activate mailto links
+		egw_framework::validate_file('/mail/js/preview.js');
+
+		// send CSP and content-type header
+		return $GLOBALS['egw']->framework->header();
 	}
 
 	function showBody(&$body, $print=true,$fullPageTags=true)
@@ -2818,8 +2807,6 @@ blockquote[type=cite] {
 	{
 		$bodyParts	= $_bodyParts;
 
-		$webserverURL	= $GLOBALS['egw_info']['server']['webserver_url'];
-
 		$nonDisplayAbleCharacters = array('[\016]','[\017]',
 				'[\020]','[\021]','[\022]','[\023]','[\024]','[\025]','[\026]','[\027]',
 				'[\030]','[\031]','[\032]','[\033]','[\034]','[\035]','[\036]','[\037]');
@@ -2902,7 +2889,6 @@ blockquote[type=cite] {
 			}
 			//error_log(__METHOD__.__LINE__.array2string($singleBodyPart));
 			#$CharSetUsed = mb_detect_encoding($singleBodyPart['body'] . 'a' , strtoupper($singleBodyPart['charSet']).','.strtoupper(mail_bo::$displayCharset).',UTF-8, ISO-8859-1');
-
 			if($singleBodyPart['mimeType'] == 'text/plain')
 			{
 				//$newBody	= $singleBodyPart['body'];
@@ -2986,18 +2972,7 @@ blockquote[type=cite] {
 					$newBody = preg_replace_callback("/url\(cid:(.*)\);/iU",array($this,'image_callback_url'),$newBody);
 					$newBody = preg_replace_callback("/background=(\"|\')cid:(.*)(\"|\')/iU",array($this,'image_callback_background'),$newBody);
 				}
-				$addAction = egw_link::get_registry('mail','add');
-
-				// create links for email addresses
-				if ($modifyURI)
-				{
-					$link = egw::link('/index.php',array('menuaction'    => $addAction['menuaction']));
-					$newBody = preg_replace("/href=(\"|\')mailto:([\w,\-,\/,\?,\=,\.,&amp;,!\n,\%,@,\*,#,:,~,\+]+)(\"|\')/ie",
-						"'href=\"$link&send_to='.base64_encode('$2').'\"'.' target=\"compose\" onclick=\"window.open(this,this.target,\'dependent=yes,width=700,height=egw_getWindowOuterHeight(),location=no,menubar=no,toolbar=no,scrollbars=yes,status=yes\'); return false;\"'", $newBody);
-					//print "<pre>".htmlentities($newBody)."</pre><hr>";
-				}
-				// replace emails within the text with clickable links.
-				//TODO:$this->parseEmail($newBody);
+				// email addresses / mailto links get now activated on client-side
 			}
 
 			$body .= $newBody;
@@ -3397,19 +3372,18 @@ blockquote[type=cite] {
 	 *
 	 * @return xajax response
 	 */
-	function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null,$_fullHeader=true)
+	function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null)
 	{
 		//error_log(__METHOD__.__LINE__.array2string($_GET));
 		if (!$_messageID && !empty($_GET['_messageID'])) $_messageID = $_GET['_messageID'];
 		if (!$_partID && !empty($_GET['_partID'])) $_partID = $_GET['_partID'];
 		if (!$_htmloptions && !empty($_GET['_htmloptions'])) $_htmloptions = $_GET['_htmloptions'];
-		if (!$_fullHeader && !empty($_GET['_fullHeader'])) $_fullHeader = $_GET['_fullHeader'];
 		if(mail_bo::$debug) error_log(__METHOD__."->".print_r($_messageID,true).",$_partID,$_htmloptions,$_fullHeade");
 		if (empty($_messageID)) return "";
 		$uidA = self::splitRowID($_messageID);
 		$folder = $uidA['folder']; // all messages in one set are supposed to be within the same folder
 		$messageID = $uidA['msgUID'];
-		$bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions,$_fullHeader);
+		$bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions);
 		egw_session::cache_control(true);
 		//error_log(array2string($bodyResponse));
 		echo $bodyResponse;

mail/js/app.js

@@ -635,7 +635,7 @@ app.classes.mail = AppJS.extend(
 		//console.log("mail_preview",nextmatch, selected);
 		// Empty values, just in case selected is empty (user cleared selection)
 		//dataElem.data is populated, when available with fromaddress(string),toaddress(string),additionaltoaddress(array),ccaddress (array)
-		var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",subject:"",attachmentsBlock:""}};
+		var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",attachmentsBlock:""}};
 		if(typeof selected != 'undefined' && selected.length == 1)
 		{
 			var _id = this.mail_fetchCurrentlyFocussed(selected);