Replace REMOTE_OBJECTS with an attribute on the body element

program/actions/mail/index.php

@@ -33,7 +33,6 @@ class rcmail_action_mail_index extends rcmail_action
     ];
 
     protected static $PRINT_MODE = false;
-    protected static $REMOTE_OBJECTS;
     protected static $SUSPICIOUS_EMAIL = false;
     protected static $wash_html_body_attrs = [];
 
@@ -1004,7 +1003,14 @@ public static function wash_html($html, $p, $cid_replaces = [])
         $html = rcube_charset::clean($html);
 
         $html = $washer->wash($html);
-        self::$REMOTE_OBJECTS = $washer->extlinks;
+        if ($washer->extlinks) {
+            // This is an ugly solution, but the least invasive I could think
+            // of. The problem is that the "washer" traverses the node tree
+            // from the top and produces a string containing HTML code - so
+            // after "washiing" we have only a big string, and before "washing"
+            // we don't yet know if any remote references are present.
+            $html = str_replace('<body ', '<body data-extlinks="true" ', $html);
+        }
 
         // There was no <body>, but a wrapper element is required
         if (!empty($p['inline_html']) && !empty(self::$wash_html_body_attrs)) {

program/actions/mail/show.php

@@ -705,14 +705,6 @@ public static function message_body($attrib)
                         $rcmail->output->set_env('is_pgp_content', '#' . $container_id);
                     }
 
-                    if ($part->mimetype === 'text/html') {
-                        // "Wash" the HTML part so we can determine if remote
-                        // objects are present as a side effect. At this point
-                        // we're not interested in the result.
-                        // TODO: can we get the information somehow cheaper?
-                        self::wash_html($body, ['inline_html' => false], $part->replaces);
-                    }
-
                     $out .= html::div(['class' => 'message-prefix'], $plugin['prefix']);
                     $out .= html::div(
                         ['id' => $container_id], [
@@ -803,11 +795,6 @@ public static function message_body($attrib)
             }
         }
 
-        // tell client that there are blocked remote objects
-        if (self::$REMOTE_OBJECTS && !$safe_mode) {
-            $rcmail->output->set_env('blockedobjects', true);
-        }
-
         $rcmail->output->add_gui_object('messagebody', $attrib['id']);
 
         return html::div($attrib, $out);

program/js/app.js

@@ -250,13 +250,22 @@ function rcube_webmail() {
 
         if (this.task === 'mail' && (this.env.action === 'preview' || this.env.action === 'show')) {
             document.querySelectorAll('iframe.framed-message-part').forEach((iframe) => {
-                // Run this twice initially: first time when the iframe's
+                // Resize twice initially: first time when the iframe's
                 // document was parsed, to already provide roughly the
                 // correct height; second time when all resources have been
                 // loaded, to finally ensure the correct height with all
                 // images etc.
                 iframe.addEventListener('DOMContentLoaded', () => this.resize_preview_iframe(iframe));
-                iframe.addEventListener('load', () => this.resize_preview_iframe(iframe));
+                iframe.addEventListener('load', () => {
+                    this.resize_preview_iframe(iframe);
+                    // Hide "Loading data" message.
+                    $(iframe).siblings('.loading').hide();
+                    // Show notice
+                    if (iframe.contentDocument.body.dataset.extlinks === 'true') {
+                        $(this.gui_objects.remoteobjectsmsg).show();
+                        this.enable_command('load-remote', true);
+                    }
+                });
                 // Also run on window resizes, because the changed text flow could need more space.
                 window.addEventListener('resize', () => this.resize_preview_iframe(iframe));
             });
@@ -377,11 +386,6 @@ function rcube_webmail() {
                         }, this.env.mail_read_time * 1000);
                     }
 
-                    if (this.env.blockedobjects) {
-                        $(this.gui_objects.remoteobjectsmsg).show();
-                        this.enable_command('load-remote', true);
-                    }
-
                     // make preview/message frame visible
                     if (this.env.action == 'preview' && this.is_framed()) {
                         this.enable_command('compose', 'add-contact', false);

tests/Actions/Mail/IndexTest.php

@@ -345,7 +345,6 @@ public function test_html()
         $this->assertMatchesRegularExpression('/Subscription form/', $html, 'Include <form> contents');
         $this->assertMatchesRegularExpression('/<!-- link ignored -->/', $html, 'No external links allowed');
         $this->assertMatchesRegularExpression('/<a[^>]+ target="_blank"/', $html, 'Set target to _blank');
-        // $this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
 
         // render HTML in safe mode
         $params['safe'] = true;