Show full details with warning icon in case of phishing suspicion

Previously the display-name was stripped, but we should rather show it so people can judge themselves. We insert a warning icon with a help text to draw the attention to it.
2026-02-20 01:21:20 +01:00 · 2025-07-29 14:07:28 +02:00
parent 0662d8b88e
commit ab8404e427
3 changed files with 22 additions and 7 deletions
--- a/program/actions/mail/index.php
+++ b/program/actions/mail/index.php
@@ -1371,11 +1371,6 @@ class rcmail_action_mail_index extends rcmail_action
            $string = $part['string'];
            $valid = rcube_utils::check_email($mailto, false);

-            // phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
-            if (!$show_email && $valid && $name && $name != $mailto && preg_match('/@|＠|﹫/', $name)) {
-                $name = '';
-            }
-
            // IDNA ASCII to Unicode
            if ($name == $mailto) {
                $name = rcube_utils::idn_to_utf8($name);
@@ -1403,15 +1398,26 @@ class rcmail_action_mail_index extends rcmail_action
                        'onclick' => sprintf("return %s.command('compose','%s',this)",
                            rcmail_output::JS_OBJECT_NAME, rcube::JQ(format_email_recipient($mailto, $name))),
                    ];
+                    $prefix = '';

-                    if ($show_email && $name && $mailto) {
+                    if ($name && $name != $mailto && preg_match('/@|＠|﹫/', $name)) {
+                        // phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
+                        $content = rcube::SQ(sprintf('%s <%s>', $name, $mailto));
+                        $msg = $rcmail->gettext('senderphishingwarning');
+                        $prefix = html::span([
+                            'class' => 'sender-phishing-warning',
+                            'title' => $msg,
+                            'role' => 'img',
+                            'aria-label' => $msg,
+                        ], '');
+                    } elseif ($show_email && $name && $mailto) {
                        $content = rcube::SQ(sprintf('%s <%s>', $name, $mailto));
                    } else {
                        $content = rcube::SQ($name ?: $mailto);
                        $attrs['title'] = $mailto;
                    }

-                    $address = html::a($attrs, $content);
+                    $address = $prefix . html::a($attrs, $content);
                } else {
                    $address = html::span(['title' => $mailto, 'class' => 'rcmContactAddress'],
                        rcube::SQ($name ?: $mailto));
--- a/program/localization/en_US/messages.inc
+++ b/program/localization/en_US/messages.inc
@@ -233,3 +233,4 @@ $messages['emptyattachment'] = 'This attachment appears to be empty.<br>Please,
 $messages['oauthloginfailed'] = 'OAuth login failed. Please try again.';
 $messages['oauthinvalidrequest'] = 'Authorization request was invalid or incomplete.';
 $messages['oauthaccessdenied'] = 'Authorization server or the user denied the request.';
+$messages['senderphishingwarning'] = 'This sender name and address look forged, please be careful!';
--- a/skins/elastic/styles/styles.less
+++ b/skins/elastic/styles/styles.less
@@ -434,6 +434,14 @@ body.task-error-login #layout {
    margin: 1rem 1rem 0 1rem;
 }

+.sender-phishing-warning:before {
+    .font-icon-class();
+    float: none;
+    display: inline-block;
+    content: @fa-var-exclamation-triangle;
+    color: @color-message-warning;
+}
+
 #composestatusbar {
    opacity: .3;
    right: 2.5rem;