`) that
// browsers + Feishu native renderer already handle.
func classifyTag(tag string) (kind, ruleID string) {
tag = strings.ToLower(tag)
if allowedTags[tag] {
return "allow", ""
}
if id, ok := blockedTags[tag]; ok {
return "error", id
}
if id, ok := warnAutofixTags[tag]; ok {
return "warn", id
}
// Unknown / niche tags: pass through silently. The cli's existing
// `htmlTagRe` (mail_quote.go:333) tolerates them too. Users authoring
// HTML in Feishu native classes (`adit-html-block*`, `history-quote-*`,
// `lark-mail-doc-quote`) hit this path — they MUST pass through unchanged
// so reply / forward quote markup survives lint round-trips.
return "allow", ""
}
// Attribute / URL / style classification --------------------------------------
// allowedURLSchemes lists URL schemes that pass through hyperlink-bearing
// attrs (`href`, `src`, `cite`, `formaction` etc.). Allowed: http(s), mailto,
// cid, data:image/*; everything else (notably javascript: and vbscript:) is
// blocked. Empty / relative URLs (no scheme) are always
// allowed because they resolve relatively at render time and pose no
// injection vector.
var allowedURLSchemes = map[string]bool{
"http": true,
"https": true,
"mailto": true,
"cid": true,
}
// blockedURLSchemes is the explicit deny-list. data:image/* is special-cased
// in classifyURLValue.
var blockedURLSchemes = map[string]bool{
"javascript": true,
"vbscript": true,
"file": true,
}
// classifyURLValue returns ("ok", "") if the URL value is acceptable, or
// ("error", ruleID) when it must be removed (javascript:/vbscript:/file:),
// or ("warn", ruleID) when the scheme is unrecognised but not actively
// dangerous. Empty values pass through (browsers ignore them).
func classifyURLValue(raw string) (kind, ruleID string) {
value := strings.TrimSpace(raw)
if value == "" {
return "ok", ""
}
// Strip leading whitespace + control bytes that could obscure the
// scheme (e.g. "java\tscript:..."). The html-parser already strips
// stray whitespace at attribute boundaries; this is defence-in-depth
// for older clients that paste from Word with U+0009 / U+0020 inside
// the scheme prefix.
value = strings.Map(func(r rune) rune {
if r < 0x20 || r == 0x7F {
return -1
}
return r
}, value)
// Find the colon delimiter; everything before it is the scheme.
colon := strings.IndexByte(value, ':')
if colon < 0 {
// No scheme → relative URL → allow.
return "ok", ""
}
scheme := strings.ToLower(value[:colon])
rest := value[colon+1:]
switch {
case allowedURLSchemes[scheme]:
return "ok", ""
case scheme == "data":
// data:image/* is whitelisted; anything else (e.g. data:text/html;...)
// is rejected. The check tolerates any subtype under image/* (png /
// jpeg / gif / svg+xml / webp) so users embedding base64 thumbnails
// don't trip the rule.
rest = strings.TrimSpace(rest)
if strings.HasPrefix(strings.ToLower(rest), "image/") {
return "ok", ""
}
return "error", RuleAttrJSURLBlocked
case blockedURLSchemes[scheme]:
return "error", RuleAttrJSURLBlocked
default:
// Unknown scheme: surface a warning so users see it but don't
// drop legitimate webcal:/tel: / similar in case downstream
// renders eventually support them.
return "warn", RuleAttrUnsafeSchemeBlocked
}
}
// urlAttributes lists attributes whose value is a URL and must therefore
// pass classifyURLValue. Lower-case canonical names.
var urlAttributes = map[string]bool{
"href": true,
"src": true,
"cite": true,
"formaction": true,
"action": true,
"background": true,
"poster": true,
}
// allowedStyleProps enumerates CSS property names that pass through the
// inline `style="..."` attribute. Everything else is removed from the
// property list and surfaced via STYLE_PROPERTY_DROPPED.
//
// `border-*` / `padding-*` / `margin-*` are treated as prefix matches by
// classifyStyleProperty so the four directional variants (border-top etc.)
// are all admitted without enumerating each.
var allowedStyleProps = map[string]bool{
"color": true,
"background-color": true,
"font-size": true,
"font-weight": true,
"font-style": true,
"text-align": true,
"text-decoration": true,
"line-height": true,
"padding": true,
"margin": true,
"border": true,
"width": true,
"height": true,
"display": true,
"text-indent": true,
// Quote-block / native Feishu styles (tag classification "通过").
// Whitespace + word-break are part of the existing `` / quote
// wrapper styles in mail_quote.go (e.g. `bodyDivStyle`).
"white-space": true,
"word-break": true,
"word-wrap": true,
"overflow": true,
"overflow-wrap": true,
"vertical-align": true,
"list-style": true,
"list-style-type": true,
"list-style-position": true,
"transition": true,
"font-family": true,
"text-transform": true,
"hyphens": true,
"max-width": true,
"min-width": true,
"max-height": true,
"min-height": true,
"border-radius": true,
"box-sizing": true,
"opacity": true,
"cursor": true,
}
// stylePropAllowedPrefixes enumerates property name prefixes treated as
// allowed regardless of suffix (e.g. "border-*"). A trailing "-" makes the
// prefix self-documenting.
var stylePropAllowedPrefixes = []string{
"border-",
"padding-",
"margin-",
}
// classifyStyleProperty reports whether the given lower-case property name
// is in the allow-list (incl. prefix matches).
func classifyStyleProperty(name string) bool {
name = strings.ToLower(strings.TrimSpace(name))
if name == "" {
return false
}
if allowedStyleProps[name] {
return true
}
for _, p := range stylePropAllowedPrefixes {
if strings.HasPrefix(name, p) {
return true
}
}
return false
}
// isEventHandlerAttr reports whether the attribute name is a DOM event
// handler (`on*`). The lib removes every such attribute regardless of its
// value (tag classification row "错误(删除)" + the well-known XSS vector).
func isEventHandlerAttr(name string) bool {
name = strings.ToLower(strings.TrimSpace(name))
if !strings.HasPrefix(name, "on") {
return false
}
if len(name) <= 2 {
return false
}
// Defence-in-depth: avoid matching legitimate attrs whose name happens
// to begin with "on" (e.g. `onerror`-like attrs all start "on" + ascii
// letter). The `>= 'a'` check filters out "on-something" with hyphens.
c := name[2]
return (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9')
}