Skip to content

feat(templates): add support for HTML templates#643

Open
Mirrrek wants to merge 1 commit into
bulwarkmail:mainfrom
Mirrrek:feat/html-templates
Open

feat(templates): add support for HTML templates#643
Mirrrek wants to merge 1 commit into
bulwarkmail:mainfrom
Mirrrek:feat/html-templates

Conversation

@Mirrrek

@Mirrrek Mirrrek commented Jul 17, 2026

Copy link
Copy Markdown

Summary

Adds a isHTML?: boolean; field to EmailTemplate, deciding if the body: string should be escaped before template use or not. The TemplateForm has an additional button to select between plaintext mode and HTML mode.

Changes

  • EmailTemplate has new isHTML?: boolean field (since it's optional, it should be backwards compatible)
  • TemplateForm has new "HTML" checkbox to indicate the body is HTML
  • EmailComposer only escapes template body if isHTML is falsy
  • PlaceholderFillModal uses dangerouslySetInnerHTML if isHTML is true
  • importTemplates does not sanitize (at all!) template body if isHTML is true

Related Issues

Closes #620

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactor / code quality improvement
  • Chore / dependency update / CI change

Checklist

  • I have read the Contributing Guide
  • My code follows the project's code style and conventions
  • I have run npm run typecheck && npm run lint and there are no errors
  • The build passes (npm run build)
  • I have tested my changes locally
  • I have added or updated documentation if needed
  • I have updated translations (locales/) if my changes affect user-facing text
  • I have included screenshots or a screen recording for UI changes

Screenshots / Demo

Before:
before-create
before-use

After:
after-create
after-use

Notes for Reviewers

I'm getting lint warnings from other parts of the code and a Next.js runtime error Failed to create address book. None of those are caused by the changes.

The button label (currently just "HTML") should ideally be changed to "Is HTML" (or similar), but that would require translations.

Security concerns

No sanitization is performed on the templates. This shouldn't be too much of an issue since the templates are written by the user and not downloaded from any other source. Still, however, users may copy HTML from unknown sources or, even worse, import templates without even seeing them. Those templates may contain arbitrary code and lead to Self-XSS.

Ideally, the templates should be sanitized the same way emails are in EmailViewer (at least using DOMPurify). Isolating them in an iframe likely won't be an option since that would require changes to the RichTextEditor.

For now, at least when importing templates, a confirmation modal with a warning should show up for templates written in HTML.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: HTML Templates

1 participant