fix: gate RegisterCsiHandler for CSI t with WindowOptions permission check

Wrap user-provided CSI t handlers registered via RegisterCsiHandler with a
permission check against the terminal's WindowOptions configuration. Without
this gate, custom handlers were called for all window option parameters
regardless of configuration.

Add WindowOptions struct, paramToWindowOption helper, and WithWindowOptions
option constructor. The default WindowOptions denies all sub-commands,
matching upstream xterm.js behavior.

Fixes #40

Co-authored-by: Ona <no-reply@ona.com>

Author: ona-automations

options.go

@@ -37,6 +37,89 @@ type WindowsPty struct {
 	BuildNo int    `json:"buildNumber,omitempty"`
 }
 
+// WindowOptions controls which CSI t (window manipulation) sub-commands are
+// permitted. All fields default to false (denied). Mirrors upstream xterm.js
+// IWindowOptions interface.
+type WindowOptions struct {
+	RestoreWin        bool `json:"restoreWin,omitempty"`
+	MinimizeWin       bool `json:"minimizeWin,omitempty"`
+	SetWinPosition    bool `json:"setWinPosition,omitempty"`
+	SetWinSizePixels  bool `json:"setWinSizePixels,omitempty"`
+	RaiseWin          bool `json:"raiseWin,omitempty"`
+	LowerWin          bool `json:"lowerWin,omitempty"`
+	RefreshWin        bool `json:"refreshWin,omitempty"`
+	SetWinSizeChars   bool `json:"setWinSizeChars,omitempty"`
+	MaximizeWin       bool `json:"maximizeWin,omitempty"`
+	FullscreenWin     bool `json:"fullscreenWin,omitempty"`
+	GetWinState       bool `json:"getWinState,omitempty"`
+	GetWinPosition    bool `json:"getWinPosition,omitempty"`
+	GetWinSizePixels  bool `json:"getWinSizePixels,omitempty"`
+	GetScreenSizePixels bool `json:"getScreenSizePixels,omitempty"`
+	GetCellSizePixels bool `json:"getCellSizePixels,omitempty"`
+	GetWinSizeChars   bool `json:"getWinSizeChars,omitempty"`
+	GetScreenSizeChars bool `json:"getScreenSizeChars,omitempty"`
+	GetIconTitle      bool `json:"getIconTitle,omitempty"`
+	GetWinTitle       bool `json:"getWinTitle,omitempty"`
+	PushTitle         bool `json:"pushTitle,omitempty"`
+	PopTitle          bool `json:"popTitle,omitempty"`
+	SetWinLines       bool `json:"setWinLines,omitempty"`
+}
+
+// paramToWindowOption checks whether the given CSI t sub-command parameter is
+// allowed by the WindowOptions configuration.
+func paramToWindowOption(n int32, opts WindowOptions) bool {
+	if n > 24 {
+		return opts.SetWinLines
+	}
+	switch n {
+	case 1:
+		return opts.RestoreWin
+	case 2:
+		return opts.MinimizeWin
+	case 3:
+		return opts.SetWinPosition
+	case 4:
+		return opts.SetWinSizePixels
+	case 5:
+		return opts.RaiseWin
+	case 6:
+		return opts.LowerWin
+	case 7:
+		return opts.RefreshWin
+	case 8:
+		return opts.SetWinSizeChars
+	case 9:
+		return opts.MaximizeWin
+	case 10:
+		return opts.FullscreenWin
+	case 11:
+		return opts.GetWinState
+	case 13:
+		return opts.GetWinPosition
+	case 14:
+		return opts.GetWinSizePixels
+	case 15:
+		return opts.GetScreenSizePixels
+	case 16:
+		return opts.GetCellSizePixels
+	case 18:
+		return opts.GetWinSizeChars
+	case 19:
+		return opts.GetScreenSizeChars
+	case 20:
+		return opts.GetIconTitle
+	case 21:
+		return opts.GetWinTitle
+	case 22:
+		return opts.PushTitle
+	case 23:
+		return opts.PopTitle
+	case 24:
+		return opts.SetWinLines
+	}
+	return false
+}
+
 // VtExtensions gates non-standard terminal extensions.
 // Mirrors upstream xterm.js vtExtensions option.
 // Pointer fields default to true when nil.
@@ -104,6 +187,7 @@ type TerminalOptions struct {
 	ConvertEol                    bool                `json:"convertEol"`
 	TermName                      string              `json:"termName"`
 	WindowsPty                    WindowsPty          `json:"windowsPty"`
+	WindowOptions                 WindowOptions       `json:"windowOptions"`
 	VtExtensions                  VtExtensions        `json:"vtExtensions"`
 }
 
@@ -227,6 +311,7 @@ func (s *OptionsService) applyOverrides(opts *TerminalOptions) {
 	s.Options.MacOptionIsMeta = opts.MacOptionIsMeta
 	s.Options.AltClickMovesCursor = opts.AltClickMovesCursor
 	s.Options.WindowsPty = opts.WindowsPty
+	s.Options.WindowOptions = opts.WindowOptions
 	s.Options.VtExtensions = opts.VtExtensions
 }
 

options_test.go

@@ -317,3 +317,53 @@ func TestOptionsServiceSetOptionConvertEol(t *testing.T) {
 		t.Errorf("(-want +got):\n%s", diff)
 	}
 }
+
+func TestParamToWindowOption(t *testing.T) {
+	t.Parallel()
+
+	type TestCase struct {
+		Name    string
+		Param   int32
+		Opts    WindowOptions
+		Allowed bool
+	}
+	tests := []TestCase{
+		{"default denies all", 18, WindowOptions{}, false},
+		{"getWinSizeChars allowed", 18, WindowOptions{GetWinSizeChars: true}, true},
+		{"restoreWin allowed", 1, WindowOptions{RestoreWin: true}, true},
+		{"minimizeWin allowed", 2, WindowOptions{MinimizeWin: true}, true},
+		{"setWinPosition allowed", 3, WindowOptions{SetWinPosition: true}, true},
+		{"setWinSizePixels allowed", 4, WindowOptions{SetWinSizePixels: true}, true},
+		{"raiseWin allowed", 5, WindowOptions{RaiseWin: true}, true},
+		{"lowerWin allowed", 6, WindowOptions{LowerWin: true}, true},
+		{"refreshWin allowed", 7, WindowOptions{RefreshWin: true}, true},
+		{"setWinSizeChars allowed", 8, WindowOptions{SetWinSizeChars: true}, true},
+		{"maximizeWin allowed", 9, WindowOptions{MaximizeWin: true}, true},
+		{"fullscreenWin allowed", 10, WindowOptions{FullscreenWin: true}, true},
+		{"getWinState allowed", 11, WindowOptions{GetWinState: true}, true},
+		{"getWinPosition allowed", 13, WindowOptions{GetWinPosition: true}, true},
+		{"getWinSizePixels allowed", 14, WindowOptions{GetWinSizePixels: true}, true},
+		{"getScreenSizePixels allowed", 15, WindowOptions{GetScreenSizePixels: true}, true},
+		{"getCellSizePixels allowed", 16, WindowOptions{GetCellSizePixels: true}, true},
+		{"getScreenSizeChars allowed", 19, WindowOptions{GetScreenSizeChars: true}, true},
+		{"getIconTitle allowed", 20, WindowOptions{GetIconTitle: true}, true},
+		{"getWinTitle allowed", 21, WindowOptions{GetWinTitle: true}, true},
+		{"pushTitle allowed", 22, WindowOptions{PushTitle: true}, true},
+		{"popTitle allowed", 23, WindowOptions{PopTitle: true}, true},
+		{"setWinLines allowed", 24, WindowOptions{SetWinLines: true}, true},
+		{"param > 24 uses setWinLines", 25, WindowOptions{SetWinLines: true}, true},
+		{"param > 24 denied without setWinLines", 30, WindowOptions{}, false},
+		{"unmapped param 12 denied", 12, WindowOptions{}, false},
+		{"wrong option for param", 14, WindowOptions{GetCellSizePixels: true}, false},
+	}
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+			got := paramToWindowOption(tc.Param, tc.Opts)
+			if got != tc.Allowed {
+				t.Errorf("paramToWindowOption(%d, ...) = %v, want %v", tc.Param, got, tc.Allowed)
+			}
+		})
+	}
+}
+

terminal.go

@@ -28,6 +28,11 @@ func WithScreenReaderMode(on bool) Option {
 	return func(o *TerminalOptions) { o.ScreenReaderMode = on }
 }
 
+// WithWindowOptions configures which CSI t sub-commands are permitted.
+func WithWindowOptions(wo WindowOptions) Option {
+	return func(o *TerminalOptions) { o.WindowOptions = wo }
+}
+
 // WithVtExtensions configures non-standard VT extensions.
 func WithVtExtensions(ext VtExtensions) Option {
 	return func(o *TerminalOptions) { o.VtExtensions = ext }
@@ -309,7 +314,17 @@ func (t *Terminal) RegisterApcHandler(id FunctionIdentifier, handler func(data s
 
 // RegisterCsiHandler registers a custom handler for a CSI escape sequence.
 // The handler returns true to stop the handler chain from bubbling further.
+// For CSI t (window options), the handler is wrapped with a permission check
+// against the terminal's WindowOptions configuration.
 func (t *Terminal) RegisterCsiHandler(id FunctionIdentifier, handler CsiHandler) Disposable {
+	if id.Final == 't' && id.Prefix == 0 && id.Intermediates == "" {
+		return t.inputHandler.parser.RegisterCsiHandler(id, func(params *Params) bool {
+			if !paramToWindowOption(params.Params[0], t.optionsService.Options.WindowOptions) {
+				return true
+			}
+			return handler(params)
+		})
+	}
 	return t.inputHandler.parser.RegisterCsiHandler(id, handler)
 }
 

terminal_test.go

@@ -773,6 +773,106 @@ func TestTerminalRegisterCsiHandler(t *testing.T) {
 	}
 }
 
+func TestTerminalRegisterCsiHandlerWindowOptionGate(t *testing.T) {
+	t.Parallel()
+
+	t.Run("blocked when window option not permitted", func(t *testing.T) {
+		t.Parallel()
+		// Default WindowOptions has all fields false — handler should be blocked.
+		term := New(WithCols(80), WithRows(24))
+
+		var called bool
+		term.RegisterCsiHandler(FunctionIdentifier{Final: 't'}, func(params *Params) bool {
+			called = true
+			return true
+		})
+
+		// Send CSI 18 t (getWinSizeChars)
+		term.WriteString("\x1b[18t")
+		if called {
+			t.Fatal("CSI t handler was called despite window option not being permitted")
+		}
+	})
+
+	t.Run("allowed when window option is permitted", func(t *testing.T) {
+		t.Parallel()
+		term := New(WithCols(80), WithRows(24), WithWindowOptions(WindowOptions{
+			GetWinSizeChars: true,
+		}))
+
+		var called bool
+		var gotParam int32
+		term.RegisterCsiHandler(FunctionIdentifier{Final: 't'}, func(params *Params) bool {
+			called = true
+			if params.Length > 0 {
+				gotParam = params.Params[0]
+			}
+			return true
+		})
+
+		// Send CSI 18 t (getWinSizeChars — permitted)
+		term.WriteString("\x1b[18t")
+		if !called {
+			t.Fatal("CSI t handler was not called despite window option being permitted")
+		}
+		if gotParam != 18 {
+			t.Fatalf("got param %d, want 18", gotParam)
+		}
+	})
+
+	t.Run("only matching sub-command is allowed", func(t *testing.T) {
+		t.Parallel()
+		term := New(WithCols(80), WithRows(24), WithWindowOptions(WindowOptions{
+			GetWinSizeChars: true, // permits param 18
+		}))
+
+		var called bool
+		term.RegisterCsiHandler(FunctionIdentifier{Final: 't'}, func(params *Params) bool {
+			called = true
+			return true
+		})
+
+		// Send CSI 14 t (getWinSizePixels — NOT permitted)
+		term.WriteString("\x1b[14t")
+		if called {
+			t.Fatal("CSI t handler was called for a non-permitted sub-command")
+		}
+	})
+
+	t.Run("non-t CSI handler is not gated", func(t *testing.T) {
+		t.Parallel()
+		term := New(WithCols(80), WithRows(24))
+
+		var called bool
+		term.RegisterCsiHandler(FunctionIdentifier{Final: 'Z'}, func(params *Params) bool {
+			called = true
+			return true
+		})
+
+		term.WriteString("\x1b[18Z")
+		if !called {
+			t.Fatal("non-t CSI handler should not be gated by window options")
+		}
+	})
+
+	t.Run("CSI t with prefix is not gated", func(t *testing.T) {
+		t.Parallel()
+		term := New(WithCols(80), WithRows(24))
+
+		var called bool
+		term.RegisterCsiHandler(FunctionIdentifier{Prefix: '>', Final: 't'}, func(params *Params) bool {
+			called = true
+			return true
+		})
+
+		// Send CSI > 18 t
+		term.WriteString("\x1b[>18t")
+		if !called {
+			t.Fatal("CSI > t handler should not be gated by window options")
+		}
+	})
+}
+
 func TestTerminalRegisterEscHandler(t *testing.T) {
 	t.Parallel()
 	term := newTestTerminal(80, 24)