fix(mail): warn before opening mismatched displayed links by KaannKara · Pull Request #1833 · runbox/runbox7

KaannKara · 2026-05-11T23:17:17Z

Fixes #1688.

Summary

Add a click interceptor for rendered message links that compares URL-like visible link text with the actual href.
Show the existing confirmation dialog before opening mismatched links, and only open the link after the user accepts.
Apply the same handling to sanitized inline HTML and srcdoc iframe HTML views, while preserving mailto compose handling.

Tests

npx tsc -p src/tsconfig.spec.json --noEmit
npx eslint src/app/mailviewer/singlemailviewer.component.ts src/app/mailviewer/singlemailviewer.component.spec.ts (passes with existing warnings)
npm run lint (passes with existing warnings)
npm run policy (passes; reports existing historical commit-message notes)
npm run build (passes with existing Angular/CommonJS warnings)
npm run test -- --watch=false --browsers=ChromeHeadless --include=src/app/mailviewer/singlemailviewer.component.spec.ts (blocked: ChromeHeadless launcher is not registered in this checkout)

AI use disclosure

Used OpenAI Codex to inspect the issue, implement the patch, and run local validation.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 76fdf03efd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-05-11T23:22:38Z

+    confirmDialog.afterClosed().subscribe(result => {
+      if (result) {
+        const openedWindow = window.open(linkMismatch.href, '_blank', 'noopener');
+        if (openedWindow) {


Open confirmed links in a direct user-gesture handler

In warnBeforeOpeningMismatchedLink, the call to window.open happens inside afterClosed().subscribe(...), which runs after the dialog close flow rather than inside the original link click handler. In browsers with stricter popup-blocking heuristics (commonly Safari/Firefox and hardened Chrome settings), that loses transient user activation, so users can click “open link” and still get no tab/window because window.open is blocked and returns null. This introduces a real regression for mismatched links: they may become impossible to open even after explicit confirmation.

Useful? React with 👍 / 👎.

Kaan added 2 commits May 12, 2026 01:58

test(mail): cover mismatched link warnings

ea22cbc

fix(mail): warn on mismatched displayed links

76fdf03

chatgpt-codex-connector Bot reviewed May 11, 2026

View reviewed changes

fix(mail): preserve user activation for link warnings

cd17893

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(mail): warn before opening mismatched displayed links#1833

fix(mail): warn before opening mismatched displayed links#1833
KaannKara wants to merge 3 commits into
runbox:masterfrom
KaannKara:warn-mismatched-email-links

KaannKara commented May 11, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

chatgpt-codex-connector Bot May 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

KaannKara commented May 11, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot May 11, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant