From 319ccbc8551021bbb065ab27b5d9a91b9a672e04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sat, 20 Jun 2026 15:38:54 +0200
Subject: [PATCH 01/11] feat(composer): add "Insert image from URL" to the rich
 text editor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 appinfo/routes.php                            |   5 +
 lib/Controller/ImageProxyController.php       | 142 ++++++++++++++++
 src/ckeditor/image/ImageFromUrlPlugin.js      |  33 ++++
 src/components/TextEditor.vue                 |  83 +++++++++-
 src/service/ImageProxyService.js              |  20 +++
 .../Controller/ImageProxyControllerTest.php   | 151 ++++++++++++++++++
 6 files changed, 433 insertions(+), 1 deletion(-)
 create mode 100644 lib/Controller/ImageProxyController.php
 create mode 100644 src/ckeditor/image/ImageFromUrlPlugin.js
 create mode 100644 src/service/ImageProxyService.js
 create mode 100644 tests/Unit/Controller/ImageProxyControllerTest.php

diff --git a/appinfo/routes.php b/appinfo/routes.php
index 411af41b6a..5e65106a29 100644
--- a/appinfo/routes.php
+++ b/appinfo/routes.php
@@ -305,6 +305,11 @@
 			'url' => '/proxy',
 			'verb' => 'GET'
 		],
+		[
+			'name' => 'imageProxy#fetch',
+			'url' => '/api/image/proxy',
+			'verb' => 'GET'
+		],
 		[
 			'name' => 'settings#index',
 			'url' => '/api/settings/provisioning',
diff --git a/lib/Controller/ImageProxyController.php b/lib/Controller/ImageProxyController.php
new file mode 100644
index 0000000000..a7db2a50c3
--- /dev/null
+++ b/lib/Controller/ImageProxyController.php
@@ -0,0 +1,142 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Controller;
+
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\Files\IMimeTypeDetector;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\LocalServerException;
+use OCP\IRequest;
+use OCP\Security\IRemoteHostValidator;
+use Psr\Http\Client\ClientExceptionInterface;
+use Psr\Log\LoggerInterface;
+use function base64_encode;
+use function fclose;
+use function feof;
+use function fread;
+use function in_array;
+use function is_resource;
+use function parse_url;
+use function strlen;
+
+/**
+ * Downloads an external image server-side so it can be embedded into a composed
+ * message or a signature as a data: URI.
+ *
+ * Loading external images directly in the browser is blocked by the app's
+ * Content Security Policy, so the user provides a URL, the server fetches it
+ * once (with the platform's SSRF protection) and returns the bytes as a data:
+ * URI. The image is later turned into an inline CID attachment when the message
+ * is sent, see {@see \OCA\Mail\Service\MimeMessage::extractDataUriImages()}.
+ */
+#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
+class ImageProxyController extends Controller {
+	/**
+	 * Hard cap on the downloaded image size to avoid exhausting memory and to
+	 * keep outgoing messages within sane limits.
+	 */
+	private const MAX_IMAGE_SIZE = 10 * 1024 * 1024;
+
+	/**
+	 * Image types that browsers can render in an <img> tag and that are safe to
+	 * embed. SVG is intentionally excluded as it can carry active content.
+	 */
+	private const ALLOWED_MIME_TYPES = [
+		'image/png',
+		'image/jpeg',
+		'image/gif',
+		'image/webp',
+		'image/bmp',
+	];
+
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		private IClientService $clientService,
+		private IRemoteHostValidator $remoteHostValidator,
+		private IMimeTypeDetector $mimeTypeDetector,
+		private LoggerInterface $logger,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	/**
+	 * Fetch an external image and return it as a data: URI.
+	 *
+	 * @NoAdminRequired
+	 * @UserRateThrottle(limit=50, period=60)
+	 */
+	#[UserRateLimit(limit: 50, period: 60)]
+	public function fetch(string $url): JSONResponse {
+		$scheme = parse_url($url, PHP_URL_SCHEME);
+		if ($scheme !== 'http' && $scheme !== 'https') {
+			return new JSONResponse(['message' => 'Invalid URL'], Http::STATUS_BAD_REQUEST);
+		}
+
+		// Reject internal/local hosts up front (SSRF). The client throwing a
+		// LocalServerException below additionally guards against redirects.
+		if (!$this->remoteHostValidator->isValid($url)) {
+			return new JSONResponse(['message' => 'Forbidden URL'], Http::STATUS_FORBIDDEN);
+		}
+
+		$client = $this->clientService->newClient();
+		try {
+			$response = $client->get($url, [
+				'timeout' => 10,
+				'stream' => true,
+			]);
+		} catch (LocalServerException $e) {
+			$this->logger->warning('Blocked image insert from forbidden URL', [
+				'exception' => $e,
+			]);
+			return new JSONResponse(['message' => 'Forbidden URL'], Http::STATUS_FORBIDDEN);
+		} catch (ClientExceptionInterface $e) {
+			$this->logger->info('Could not fetch image to insert', [
+				'exception' => $e,
+			]);
+			return new JSONResponse(['message' => 'Could not fetch image'], Http::STATUS_BAD_GATEWAY);
+		}
+
+		$body = $response->getBody();
+		if (!is_resource($body)) {
+			return new JSONResponse(['message' => 'Could not fetch image'], Http::STATUS_BAD_GATEWAY);
+		}
+
+		// Read the response incrementally to enforce the size limit without
+		// buffering arbitrarily large responses in memory.
+		$content = '';
+		while (!feof($body)) {
+			$chunk = fread($body, 8192);
+			if ($chunk === false) {
+				break;
+			}
+			$content .= $chunk;
+			if (strlen($content) > self::MAX_IMAGE_SIZE) {
+				fclose($body);
+				return new JSONResponse(['message' => 'Image too large'], Http::STATUS_REQUEST_ENTITY_TOO_LARGE);
+			}
+		}
+		fclose($body);
+
+		// Detect the type from the actual bytes instead of trusting the remote
+		// Content-Type header.
+		$mimeType = $this->mimeTypeDetector->detectString($content);
+		if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+			return new JSONResponse(['message' => 'Unsupported image type'], Http::STATUS_UNSUPPORTED_MEDIA_TYPE);
+		}
+
+		$dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($content);
+		return new JSONResponse(['data' => $dataUri]);
+	}
+}
diff --git a/src/ckeditor/image/ImageFromUrlPlugin.js b/src/ckeditor/image/ImageFromUrlPlugin.js
new file mode 100644
index 0000000000..4b5a80d1d5
--- /dev/null
+++ b/src/ckeditor/image/ImageFromUrlPlugin.js
@@ -0,0 +1,33 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import imageUrlIcon from '@mdi/svg/svg/image-plus.svg?raw'
+import { translate as t } from '@nextcloud/l10n'
+import { ButtonView, Plugin } from 'ckeditor5'
+
+/**
+ * Adds a toolbar button that lets the user insert an image by URL. The button
+ * only fires an event; the surrounding Vue component (TextEditor) opens a dialog,
+ * downloads the image through the server and inserts it as a data: URI.
+ */
+export default class ImageFromUrlPlugin extends Plugin {
+	init() {
+		const editor = this.editor
+
+		editor.ui.componentFactory.add('imageFromUrl', (locale) => {
+			const button = new ButtonView(locale)
+			button.set({
+				label: t('mail', 'Insert image from URL'),
+				icon: imageUrlIcon,
+				tooltip: true,
+				isEnabled: true,
+			})
+			button.on('execute', () => {
+				editor.fire('mail:insertImageFromUrl')
+			})
+			return button
+		})
+	}
+}
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 9f970fdae1..644cc0ede5 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -18,13 +18,27 @@
 			class="editor"
 			@input="onEditorInput"
 			@ready="onEditorReady" />
+
+		<NcDialog
+			:open.sync="imageUrlDialogOpen"
+			:name="t('mail', 'Insert image from URL')"
+			:buttons="imageUrlDialogButtons"
+			size="normal">
+			<NcTextField
+				v-model="imageUrl"
+				:label="t('mail', 'Image URL')"
+				type="url"
+				:disabled="imageUrlLoading"
+				@keydown.enter.prevent="insertImageFromUrl" />
+		</NcDialog>
 	</div>
 </template>
 
 <script>
 import CKEditor from '@ckeditor/ckeditor5-vue2'
+import { showError } from '@nextcloud/dialogs'
 import { getLanguage } from '@nextcloud/l10n'
-import { emojiAddRecent, emojiSearch } from '@nextcloud/vue'
+import { emojiAddRecent, emojiSearch, NcDialog, NcTextField } from '@nextcloud/vue'
 import {
 	Alignment,
 	Base64UploadAdapter,
@@ -54,12 +68,14 @@ import {
 } from 'ckeditor5'
 import { getLinkWithPicker, searchProvider } from '@nextcloud/vue/components/NcRichText'
 import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
+import ImageFromUrlPlugin from '../ckeditor/image/ImageFromUrlPlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
 import PickerPlugin from '../ckeditor/smartpicker/PickerPlugin.js'
 import logger from '../logger.js'
 import { autoCompleteByName } from '../service/ContactIntegrationService.js'
+import { fetchImageAsDataUri } from '../service/ImageProxyService.js'
 import { Text, toPlain } from '../util/text.js'
 
 import 'ckeditor5/ckeditor5.css'
@@ -68,6 +84,8 @@ export default {
 	name: 'TextEditor',
 	components: {
 		Ckeditor: CKEditor.component,
+		NcDialog,
+		NcTextField,
 	},
 
 	inject: {
@@ -150,6 +168,7 @@ export default {
 				Image,
 				ImageUpload,
 				ImageResize,
+				ImageFromUrlPlugin,
 				Font,
 				RemoveFormat,
 				Base64UploadAdapter,
@@ -170,6 +189,7 @@ export default {
 				'superscript',
 				'fontBackgroundColor',
 				'insertImage',
+				'imageFromUrl',
 				'alignment',
 				'textDirection:ltr',
 				'textDirection:rtl',
@@ -188,6 +208,9 @@ export default {
 			emojiTribute: null,
 			contactMentionQuery: null,
 			textSmiles: [],
+			imageUrlDialogOpen: false,
+			imageUrl: '',
+			imageUrlLoading: false,
 			sourceEditingInputHandler: null,
 			sourceEditingModeHandler: null,
 			sourceEditingDebounceTimer: null,
@@ -252,6 +275,38 @@ export default {
 		}
 	},
 
+	computed: {
+		imageUrlDialogButtons() {
+			return [
+				{
+					label: t('mail', 'Cancel'),
+					type: 'tertiary',
+					disabled: this.imageUrlLoading,
+					callback: () => {
+						this.imageUrlDialogOpen = false
+					},
+				},
+				{
+					label: t('mail', 'Insert'),
+					type: 'primary',
+					disabled: !this.imageUrl || this.imageUrlLoading,
+					callback: () => {
+						this.insertImageFromUrl()
+					},
+				},
+			]
+		},
+	},
+
+	watch: {
+		imageUrlDialogOpen(open) {
+			if (!open) {
+				this.imageUrl = ''
+				this.imageUrlLoading = false
+			}
+		},
+	},
+
 	beforeMount() {
 		this.loadEditorTranslations(getLanguage())
 	},
@@ -581,6 +636,9 @@ export default {
 
 			if (this.html) {
 				this.addToFocusTrap('.ck-body-wrapper')
+				editor.on('mail:insertImageFromUrl', () => {
+					this.imageUrlDialogOpen = true
+				})
 			}
 
 			this.bus.on('append-to-body-at-cursor', this.appendToBodyAtCursor)
@@ -602,6 +660,29 @@ export default {
 			this.editorInstance.model.insertContent(modelFragment)
 		},
 
+		async insertImageFromUrl() {
+			const url = this.imageUrl.trim()
+			if (!url || this.imageUrlLoading) {
+				return
+			}
+
+			this.imageUrlLoading = true
+			try {
+				// The image is fetched server-side and returned as a data: URI. It
+				// renders in the editor despite the strict CSP and is turned into an
+				// inline attachment when the message is sent.
+				const dataUri = await fetchImageAsDataUri(url)
+				this.appendToBodyAtCursor(`<img src="${dataUri}">`)
+				this.editorInstance.editing.view.focus()
+				this.imageUrlDialogOpen = false
+			} catch (error) {
+				logger.error('Could not insert image from URL', { error })
+				showError(t('mail', 'Could not insert image from URL'))
+			} finally {
+				this.imageUrlLoading = false
+			}
+		},
+
 		editorExecute(commandName, ...args) {
 			if (this.editorInstance) {
 				this.editorInstance.execute(commandName, ...args)
diff --git a/src/service/ImageProxyService.js b/src/service/ImageProxyService.js
new file mode 100644
index 0000000000..b90d2e25f8
--- /dev/null
+++ b/src/service/ImageProxyService.js
@@ -0,0 +1,20 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import axios from '@nextcloud/axios'
+import { generateUrl } from '@nextcloud/router'
+
+/**
+ * Fetch an external image through the server and return it as a data: URI so it
+ * can be embedded into the editor and later sent as an inline attachment.
+ *
+ * @param {string} url The external image URL
+ * @return {Promise<string>} The image encoded as a data: URI
+ */
+export async function fetchImageAsDataUri(url) {
+	const endpoint = generateUrl('/apps/mail/api/image/proxy')
+	const { data } = await axios.get(endpoint, { params: { url } })
+	return data.data
+}
diff --git a/tests/Unit/Controller/ImageProxyControllerTest.php b/tests/Unit/Controller/ImageProxyControllerTest.php
new file mode 100644
index 0000000000..880990fd4f
--- /dev/null
+++ b/tests/Unit/Controller/ImageProxyControllerTest.php
@@ -0,0 +1,151 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\ImageProxyController;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\Files\IMimeTypeDetector;
+use OCP\Http\Client\IClient;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\IResponse;
+use OCP\Http\Client\LocalServerException;
+use OCP\IRequest;
+use OCP\Security\IRemoteHostValidator;
+use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\NullLogger;
+
+class ImageProxyControllerTest extends TestCase {
+	/** @var IRequest|MockObject */
+	private $request;
+
+	/** @var IClientService|MockObject */
+	private $clientService;
+
+	/** @var IRemoteHostValidator|MockObject */
+	private $remoteHostValidator;
+
+	/** @var IMimeTypeDetector|MockObject */
+	private $mimeTypeDetector;
+
+	/** @var ImageProxyController */
+	private $controller;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->request = $this->createMock(IRequest::class);
+		$this->clientService = $this->createMock(IClientService::class);
+		$this->remoteHostValidator = $this->createMock(IRemoteHostValidator::class);
+		$this->mimeTypeDetector = $this->createMock(IMimeTypeDetector::class);
+		$this->controller = new ImageProxyController(
+			'mail',
+			$this->request,
+			$this->clientService,
+			$this->remoteHostValidator,
+			$this->mimeTypeDetector,
+			new NullLogger(),
+		);
+	}
+
+	public function testFetchRejectsInvalidScheme(): void {
+		$this->clientService->expects(self::never())
+			->method('newClient');
+
+		$response = $this->controller->fetch('ftp://example.com/image.png');
+
+		self::assertInstanceOf(JSONResponse::class, $response);
+		self::assertSame(Http::STATUS_BAD_REQUEST, $response->getStatus());
+	}
+
+	public function testFetchReturnsDataUri(): void {
+		$content = 'fake-png-bytes';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($content));
+		$client = $this->createMock(IClient::class);
+		$client->expects(self::once())
+			->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->expects(self::once())
+			->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->expects(self::once())
+			->method('detectString')
+			->with($content)
+			->willReturn('image/png');
+
+		$response = $this->controller->fetch('https://example.com/image.png');
+
+		self::assertInstanceOf(JSONResponse::class, $response);
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/png;base64,' . base64_encode($content)],
+			$response->getData(),
+		);
+	}
+
+	public function testFetchBlocksLocalServer(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willThrowException(new LocalServerException());
+		$this->clientService->method('newClient')
+			->willReturn($client);
+
+		$response = $this->controller->fetch('https://localhost/image.png');
+
+		self::assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
+	public function testFetchBlocksForbiddenHost(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(false);
+		$this->clientService->expects(self::never())
+			->method('newClient');
+
+		$response = $this->controller->fetch('https://127.0.0.1/image.png');
+
+		self::assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
+	public function testFetchRejectsNonImage(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor('not-an-image'));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('text/html');
+
+		$response = $this->controller->fetch('https://example.com/evil');
+
+		self::assertSame(Http::STATUS_UNSUPPORTED_MEDIA_TYPE, $response->getStatus());
+	}
+
+	/**
+	 * @return resource
+	 */
+	private function streamFor(string $content) {
+		$stream = fopen('php://memory', 'r+');
+		fwrite($stream, $content);
+		rewind($stream);
+		return $stream;
+	}
+}

From 5b0fa88604be7bb5244d9ab09a03ce239d517034 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sat, 20 Jun 2026 16:32:05 +0200
Subject: [PATCH 02/11] feat(composer): image dropdown, pixel resizing and SVG
 support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Controller/ImageProxyController.php       | 44 +++++++++++-
 lib/Service/MimeMessage.php                   | 39 +++++++++++
 src/ckeditor/image/ImageDropdownPlugin.js     | 67 +++++++++++++++++++
 src/ckeditor/image/ImageFromUrlPlugin.js      | 33 ---------
 src/components/TextEditor.vue                 | 48 +++++++++++--
 .../Controller/ImageProxyControllerTest.php   | 49 ++++++++++++++
 tests/Unit/Service/MimeMessageTest.php        | 35 ++++++++++
 7 files changed, 275 insertions(+), 40 deletions(-)
 create mode 100644 src/ckeditor/image/ImageDropdownPlugin.js
 delete mode 100644 src/ckeditor/image/ImageFromUrlPlugin.js

diff --git a/lib/Controller/ImageProxyController.php b/lib/Controller/ImageProxyController.php
index a7db2a50c3..7fe76d35a8 100644
--- a/lib/Controller/ImageProxyController.php
+++ b/lib/Controller/ImageProxyController.php
@@ -27,7 +27,11 @@
 use function fread;
 use function in_array;
 use function is_resource;
+use function ltrim;
 use function parse_url;
+use function preg_replace;
+use function str_starts_with;
+use function stripos;
 use function strlen;
 
 /**
@@ -50,7 +54,7 @@ class ImageProxyController extends Controller {
 
 	/**
 	 * Image types that browsers can render in an <img> tag and that are safe to
-	 * embed. SVG is intentionally excluded as it can carry active content.
+	 * embed.
 	 */
 	private const ALLOWED_MIME_TYPES = [
 		'image/png',
@@ -58,6 +62,7 @@ class ImageProxyController extends Controller {
 		'image/gif',
 		'image/webp',
 		'image/bmp',
+		'image/svg+xml',
 	];
 
 	public function __construct(
@@ -132,11 +137,48 @@ public function fetch(string $url): JSONResponse {
 		// Detect the type from the actual bytes instead of trusting the remote
 		// Content-Type header.
 		$mimeType = $this->mimeTypeDetector->detectString($content);
+
+		// finfo frequently reports SVG (which is plain XML) as a text/* type, so
+		// fall back to sniffing the markup to support SVG logos.
+		if ($mimeType !== 'image/svg+xml' && $this->looksLikeSvg($content)) {
+			$mimeType = 'image/svg+xml';
+		}
+
 		if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
 			return new JSONResponse(['message' => 'Unsupported image type'], Http::STATUS_UNSUPPORTED_MEDIA_TYPE);
 		}
 
+		if ($mimeType === 'image/svg+xml') {
+			$content = $this->hardenSvg($content);
+		}
+
 		$dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($content);
 		return new JSONResponse(['data' => $dataUri]);
 	}
+
+	/**
+	 * Heuristically decide whether the given bytes are an SVG document.
+	 */
+	private function looksLikeSvg(string $content): bool {
+		$start = ltrim($content);
+		$hasSvgRoot = str_starts_with($start, '<?xml')
+			|| str_starts_with($start, '<!--')
+			|| stripos($start, '<svg') === 0;
+		return $hasSvgRoot && stripos($content, '<svg') !== false;
+	}
+
+	/**
+	 * Best-effort hardening of an SVG before embedding it. When rendered in an
+	 * <img>/CID context scripts do not execute, but the obvious active-content
+	 * vectors are stripped as defence in depth.
+	 */
+	private function hardenSvg(string $content): string {
+		$patterns = [
+			'/<script\b[^>]*>.*?<\/script>/is',
+			'/<foreignObject\b[^>]*>.*?<\/foreignObject>/is',
+			'/\son\w+\s*=\s*("[^"]*"|\'[^\']*\'|[^\s>]+)/i',
+			'/(?:href|xlink:href)\s*=\s*("\s*javascript:[^"]*"|\'\s*javascript:[^\']*\')/i',
+		];
+		return preg_replace($patterns, '', $content) ?? $content;
+	}
 }
diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index 1188d18500..c083f5c737 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -82,6 +82,7 @@ private function buildMessagePart(?string $contentPlain, ?string $contentHtml, a
 			$doc = Parser::parseToDomDocument($source);
 			array_push($inlineAttachments, ...$this->extractDataUriImages($doc));
 			$this->rewriteSrcToCid($doc);
+			$this->normalizeImageDimensions($doc);
 			$htmlContent = $doc->saveHTML();
 
 			$htmlPart = new Horde_Mime_Part();
@@ -185,6 +186,44 @@ private function extractDataUriImages(DOMDocument $doc): array {
 		return $parts;
 	}
 
+	/**
+	 * Mirrors pixel dimensions set via the editor's resize feature (stored as
+	 * inline CSS) onto the width/height attributes. Many email clients drop
+	 * inline styles and classes but honour these attributes, so without them a
+	 * resized image would fall back to its (often huge) natural size.
+	 */
+	private function normalizeImageDimensions(DOMDocument $doc): void {
+		foreach ($doc->getElementsByTagName('img') as $image) {
+			if (!($image instanceof DOMElement)) {
+				continue;
+			}
+
+			$style = $image->getAttribute('style');
+			if ($style === '' || preg_match('/(?<![-\w])width:\s*([\d.]+)px/i', $style, $widthMatch) !== 1) {
+				continue;
+			}
+
+			$width = (int)round((float)$widthMatch[1]);
+			if ($width <= 0) {
+				continue;
+			}
+			$image->setAttribute('width', (string)$width);
+
+			// Derive the height from the aspect ratio the editor stores so clients
+			// that ignore CSS keep the correct proportions.
+			if (preg_match('#aspect-ratio:\s*([\d.]+)\s*/\s*([\d.]+)#i', $style, $ratioMatch) === 1) {
+				$ratioWidth = (float)$ratioMatch[1];
+				$ratioHeight = (float)$ratioMatch[2];
+				if ($ratioWidth > 0.0 && $ratioHeight > 0.0) {
+					$height = (int)round($width * $ratioHeight / $ratioWidth);
+					if ($height > 0) {
+						$image->setAttribute('height', (string)$height);
+					}
+				}
+			}
+		}
+	}
+
 	/**
 	 * Rewrites src attributes of img elements that carry a data-cid attribute
 	 * back to their cid: reference, as required by the MIME structure for
diff --git a/src/ckeditor/image/ImageDropdownPlugin.js b/src/ckeditor/image/ImageDropdownPlugin.js
new file mode 100644
index 0000000000..be695d8b58
--- /dev/null
+++ b/src/ckeditor/image/ImageDropdownPlugin.js
@@ -0,0 +1,67 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import imageIcon from '@mdi/svg/svg/image.svg?raw'
+import linkIcon from '@mdi/svg/svg/link-variant.svg?raw'
+import uploadIcon from '@mdi/svg/svg/upload.svg?raw'
+import { translate as t } from '@nextcloud/l10n'
+import { ButtonView, createDropdown, Plugin } from 'ckeditor5'
+
+/**
+ * Toolbar dropdown to insert an image, offering two options: uploading a file
+ * from the computer or fetching one by URL. Both options only fire an event;
+ * the surrounding Vue component (TextEditor) performs the actual work.
+ */
+export default class ImageDropdownPlugin extends Plugin {
+	init() {
+		const editor = this.editor
+
+		editor.ui.componentFactory.add('imageDropdown', (locale) => {
+			const dropdown = createDropdown(locale)
+			dropdown.buttonView.set({
+				label: t('mail', 'Insert image'),
+				icon: imageIcon,
+				tooltip: true,
+			})
+
+			const uploadButton = this._createActionButton(
+				locale,
+				t('mail', 'Upload from computer'),
+				uploadIcon,
+				() => {
+					dropdown.isOpen = false
+					editor.fire('mail:uploadImageFromComputer')
+				},
+			)
+			const urlButton = this._createActionButton(
+				locale,
+				t('mail', 'Insert via URL'),
+				linkIcon,
+				() => {
+					dropdown.isOpen = false
+					editor.fire('mail:insertImageFromUrl')
+				},
+			)
+
+			dropdown.panelView.children.add(uploadButton)
+			dropdown.panelView.children.add(urlButton)
+
+			return dropdown
+		})
+	}
+
+	_createActionButton(locale, label, icon, onExecute) {
+		const button = new ButtonView(locale)
+		button.set({
+			label,
+			icon,
+			tooltip: false,
+			withText: true,
+			isEnabled: true,
+		})
+		button.on('execute', onExecute)
+		return button
+	}
+}
diff --git a/src/ckeditor/image/ImageFromUrlPlugin.js b/src/ckeditor/image/ImageFromUrlPlugin.js
deleted file mode 100644
index 4b5a80d1d5..0000000000
--- a/src/ckeditor/image/ImageFromUrlPlugin.js
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-
-import imageUrlIcon from '@mdi/svg/svg/image-plus.svg?raw'
-import { translate as t } from '@nextcloud/l10n'
-import { ButtonView, Plugin } from 'ckeditor5'
-
-/**
- * Adds a toolbar button that lets the user insert an image by URL. The button
- * only fires an event; the surrounding Vue component (TextEditor) opens a dialog,
- * downloads the image through the server and inserts it as a data: URI.
- */
-export default class ImageFromUrlPlugin extends Plugin {
-	init() {
-		const editor = this.editor
-
-		editor.ui.componentFactory.add('imageFromUrl', (locale) => {
-			const button = new ButtonView(locale)
-			button.set({
-				label: t('mail', 'Insert image from URL'),
-				icon: imageUrlIcon,
-				tooltip: true,
-				isEnabled: true,
-			})
-			button.on('execute', () => {
-				editor.fire('mail:insertImageFromUrl')
-			})
-			return button
-		})
-	}
-}
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 644cc0ede5..01a11a978d 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -19,6 +19,14 @@
 			@input="onEditorInput"
 			@ready="onEditorReady" />
 
+		<input
+			ref="imageFileInput"
+			type="file"
+			accept="image/*"
+			multiple
+			class="image-file-input"
+			@change="onImageFilesSelected">
+
 		<NcDialog
 			:open.sync="imageUrlDialogOpen"
 			:name="t('mail', 'Insert image from URL')"
@@ -68,7 +76,7 @@ import {
 } from 'ckeditor5'
 import { getLinkWithPicker, searchProvider } from '@nextcloud/vue/components/NcRichText'
 import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
-import ImageFromUrlPlugin from '../ckeditor/image/ImageFromUrlPlugin.js'
+import ImageDropdownPlugin from '../ckeditor/image/ImageDropdownPlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
@@ -168,7 +176,7 @@ export default {
 				Image,
 				ImageUpload,
 				ImageResize,
-				ImageFromUrlPlugin,
+				ImageDropdownPlugin,
 				Font,
 				RemoveFormat,
 				Base64UploadAdapter,
@@ -188,8 +196,7 @@ export default {
 				'subscript',
 				'superscript',
 				'fontBackgroundColor',
-				'insertImage',
-				'imageFromUrl',
+				'imageDropdown',
 				'alignment',
 				'textDirection:ltr',
 				'textDirection:rtl',
@@ -222,6 +229,18 @@ export default {
 				plugins,
 				toolbar,
 				language: 'en',
+				image: {
+					// Resize using absolute pixels instead of percentages. A percentage
+					// width is relative to the unknown width of the recipient's mail
+					// client, which makes images appear far too large elsewhere; pixels
+					// translate predictably and are normalised to width/height
+					// attributes when the message is sent.
+					resizeUnit: 'px',
+					upload: {
+						// Defaults plus SVG so vector logos can be uploaded as well.
+						types: ['jpeg', 'png', 'gif', 'bmp', 'webp', 'tiff', 'svg+xml'],
+					},
+				},
 				mention: {
 					feeds: [
 						{
@@ -639,6 +658,9 @@ export default {
 				editor.on('mail:insertImageFromUrl', () => {
 					this.imageUrlDialogOpen = true
 				})
+				editor.on('mail:uploadImageFromComputer', () => {
+					this.$refs.imageFileInput?.click()
+				})
 			}
 
 			this.bus.on('append-to-body-at-cursor', this.appendToBodyAtCursor)
@@ -670,9 +692,10 @@ export default {
 			try {
 				// The image is fetched server-side and returned as a data: URI. It
 				// renders in the editor despite the strict CSP and is turned into an
-				// inline attachment when the message is sent.
+				// inline attachment when the message is sent. Insert it through the
+				// same command the upload feature uses so both behave identically.
 				const dataUri = await fetchImageAsDataUri(url)
-				this.appendToBodyAtCursor(`<img src="${dataUri}">`)
+				this.editorInstance.execute('insertImage', { source: dataUri })
 				this.editorInstance.editing.view.focus()
 				this.imageUrlDialogOpen = false
 			} catch (error) {
@@ -683,6 +706,15 @@ export default {
 			}
 		},
 
+		onImageFilesSelected(event) {
+			const files = Array.from(event.target.files ?? [])
+			if (files.length > 0) {
+				this.editorInstance.execute('uploadImage', { file: files })
+			}
+			// Reset so selecting the same file again still triggers a change event.
+			event.target.value = ''
+		},
+
 		editorExecute(commandName, ...args) {
 			if (this.editorInstance) {
 				this.editorInstance.execute(commandName, ...args)
@@ -752,6 +784,10 @@ export default {
 	cursor: text;
 	margin: 0 !important;
 }
+
+.image-file-input {
+	display: none;
+}
 </style>
 
 <style>
diff --git a/tests/Unit/Controller/ImageProxyControllerTest.php b/tests/Unit/Controller/ImageProxyControllerTest.php
index 880990fd4f..965b3d211b 100644
--- a/tests/Unit/Controller/ImageProxyControllerTest.php
+++ b/tests/Unit/Controller/ImageProxyControllerTest.php
@@ -139,6 +139,55 @@ public function testFetchRejectsNonImage(): void {
 		self::assertSame(Http::STATUS_UNSUPPORTED_MEDIA_TYPE, $response->getStatus());
 	}
 
+	public function testFetchSniffsSvgMisdetectedAsText(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><rect width="10" height="10"/></svg>';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($svg));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('text/xml');
+
+		$response = $this->controller->fetch('https://example.com/logo.svg');
+
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/svg+xml;base64,' . base64_encode($svg)],
+			$response->getData(),
+		);
+	}
+
+	public function testFetchStripsScriptsFromSvg(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect onload="x()"/></svg>';
+		$sanitized = '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($svg));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('image/svg+xml');
+
+		$response = $this->controller->fetch('https://example.com/logo.svg');
+
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/svg+xml;base64,' . base64_encode($sanitized)],
+			$response->getData(),
+		);
+	}
+
 	/**
 	 * @return resource
 	 */
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index 146a3bf26c..db62a51e8f 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -413,6 +413,41 @@ public function testEmbeddedImageSkipNonImages(): void {
 		$this->assertStringNotContainsString('data-cid', $htmlBody);
 	}
 
+	public function testNormalizeImageDimensions(): void {
+		$html = '<p><img src="https://example.com/logo.png" style="aspect-ratio:4/1;width:400px;"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		$this->assertEquals('multipart/alternative', $part->getType());
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="400"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
+	public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
+		$html = '<p><img src="https://example.com/logo.png" style="width:50%;"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringNotContainsString('width="', $htmlBody);
+	}
+
 	private function createAttachmentPart(string $name, string $content, string $mime, string $disposition): Horde_Mime_Part {
 		$part = new Horde_Mime_Part();
 		$part->setCharset('us-ascii');

From 385d976221a5b6d1dd1e6dd1d947bd7d9017e18a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sat, 20 Jun 2026 17:34:31 +0200
Subject: [PATCH 03/11] feat(composer): richer image editing (alignment, alt
 text, link under image, SVG hardening, file picker)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Controller/ImageProxyController.php       |  20 +---
 lib/Service/AntiSpamService.php               |   3 +-
 lib/Service/MailTransmission.php              |   3 +-
 lib/Service/MimeMessage.php                   |  17 ++-
 lib/Service/SvgSanitizer.php                  | 105 ++++++++++++++++++
 src/ckeditor/image/ImageDropdownPlugin.js     |  40 ++++---
 src/components/TextEditor.vue                 |  84 ++++++++++++++
 .../Controller/ImageProxyControllerTest.php   |  18 ++-
 tests/Unit/Service/MimeMessageTest.php        |  26 ++++-
 tests/Unit/Service/SvgSanitizerTest.php       |  82 ++++++++++++++
 10 files changed, 354 insertions(+), 44 deletions(-)
 create mode 100644 lib/Service/SvgSanitizer.php
 create mode 100644 tests/Unit/Service/SvgSanitizerTest.php

diff --git a/lib/Controller/ImageProxyController.php b/lib/Controller/ImageProxyController.php
index 7fe76d35a8..8235280b26 100644
--- a/lib/Controller/ImageProxyController.php
+++ b/lib/Controller/ImageProxyController.php
@@ -15,6 +15,7 @@
 use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Files\IMimeTypeDetector;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\Http\Client\IClientService;
 use OCP\Http\Client\LocalServerException;
 use OCP\IRequest;
@@ -29,7 +30,6 @@
 use function is_resource;
 use function ltrim;
 use function parse_url;
-use function preg_replace;
 use function str_starts_with;
 use function stripos;
 use function strlen;
@@ -71,6 +71,7 @@ public function __construct(
 		private IClientService $clientService,
 		private IRemoteHostValidator $remoteHostValidator,
 		private IMimeTypeDetector $mimeTypeDetector,
+		private SvgSanitizer $svgSanitizer,
 		private LoggerInterface $logger,
 	) {
 		parent::__construct($appName, $request);
@@ -149,7 +150,7 @@ public function fetch(string $url): JSONResponse {
 		}
 
 		if ($mimeType === 'image/svg+xml') {
-			$content = $this->hardenSvg($content);
+			$content = $this->svgSanitizer->sanitize($content);
 		}
 
 		$dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($content);
@@ -166,19 +167,4 @@ private function looksLikeSvg(string $content): bool {
 			|| stripos($start, '<svg') === 0;
 		return $hasSvgRoot && stripos($content, '<svg') !== false;
 	}
-
-	/**
-	 * Best-effort hardening of an SVG before embedding it. When rendered in an
-	 * <img>/CID context scripts do not execute, but the obvious active-content
-	 * vectors are stripped as defence in depth.
-	 */
-	private function hardenSvg(string $content): string {
-		$patterns = [
-			'/<script\b[^>]*>.*?<\/script>/is',
-			'/<foreignObject\b[^>]*>.*?<\/foreignObject>/is',
-			'/\son\w+\s*=\s*("[^"]*"|\'[^\']*\'|[^\s>]+)/i',
-			'/(?:href|xlink:href)\s*=\s*("\s*javascript:[^"]*"|\'\s*javascript:[^\']*\')/i',
-		];
-		return preg_replace($patterns, '', $content) ?? $content;
-	}
 }
diff --git a/lib/Service/AntiSpamService.php b/lib/Service/AntiSpamService.php
index 3bbd51ecff..1f458d5c7d 100644
--- a/lib/Service/AntiSpamService.php
+++ b/lib/Service/AntiSpamService.php
@@ -155,7 +155,8 @@ public function sendReportEmail(Account $account, Mailbox $mailbox, int $uid, st
 		$mail->addHeaders($headers);
 
 		$mimeMessage = new MimeMessage(
-			new DataUriParser()
+			new DataUriParser(),
+			new SvgSanitizer(),
 		);
 
 		$mimePart = $mimeMessage->build(
diff --git a/lib/Service/MailTransmission.php b/lib/Service/MailTransmission.php
index ad5a4d2a1b..ac87ff41ec 100644
--- a/lib/Service/MailTransmission.php
+++ b/lib/Service/MailTransmission.php
@@ -133,7 +133,8 @@ public function sendMessage(Account $account, LocalMessage $localMessage): void
 		$mail->addHeaders($headers);
 
 		$mimeMessage = new MimeMessage(
-			new DataUriParser()
+			new DataUriParser(),
+			new SvgSanitizer(),
 		);
 		$mimePart = $mimeMessage->build(
 			$localMessage->getBodyPlain(),
diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index c083f5c737..507638e864 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -20,9 +20,11 @@
 
 class MimeMessage {
 	private DataUriParser $uriParser;
+	private SvgSanitizer $svgSanitizer;
 
-	public function __construct(DataUriParser $uriParser) {
+	public function __construct(DataUriParser $uriParser, SvgSanitizer $svgSanitizer) {
 		$this->uriParser = $uriParser;
+		$this->svgSanitizer = $svgSanitizer;
 	}
 
 	/**
@@ -173,10 +175,19 @@ private function extractDataUriImages(DOMDocument $doc): array {
 			$part->setCharset($dataUri->getParameters()['charset']);
 			$part->setName('embedded_image_' . $id);
 			$part->setDisposition('inline');
-			if ($dataUri->isBase64()) {
+			if ($dataUri->getMediaType() === 'image/svg+xml') {
+				// Strip any active content from SVGs before they are sent.
+				$raw = $dataUri->isBase64()
+					? base64_decode($dataUri->getData(), true)
+					: rawurldecode($dataUri->getData());
 				$part->setTransferEncoding('base64');
+				$part->setContents(base64_encode($this->svgSanitizer->sanitize($raw === false ? '' : $raw)));
+			} else {
+				if ($dataUri->isBase64()) {
+					$part->setTransferEncoding('base64');
+				}
+				$part->setContents($dataUri->getData());
 			}
-			$part->setContents($dataUri->getData());
 
 			$cid = $part->setContentId();
 			$parts[] = $part;
diff --git a/lib/Service/SvgSanitizer.php b/lib/Service/SvgSanitizer.php
new file mode 100644
index 0000000000..602ab1a00c
--- /dev/null
+++ b/lib/Service/SvgSanitizer.php
@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Service;
+
+use DOMAttr;
+use DOMDocument;
+use DOMElement;
+use DOMXPath;
+
+/**
+ * Removes active content from SVG markup before it is embedded into or sent
+ * with a message. SVGs are rendered in an <img>/CID context where scripts do
+ * not execute, but they are still sanitised as defence in depth: any document
+ * that cannot be parsed safely is dropped entirely.
+ */
+class SvgSanitizer {
+	/** Elements that can carry or execute active content. */
+	private const FORBIDDEN_ELEMENTS = [
+		'script',
+		'foreignObject',
+		'handler',
+		'listener',
+		'set',
+	];
+
+	/**
+	 * @param string $svg The raw (decoded) SVG markup
+	 * @return string The sanitised markup, or an empty string if it cannot be
+	 *                parsed safely
+	 */
+	public function sanitize(string $svg): string {
+		if (trim($svg) === '') {
+			return '';
+		}
+
+		// A DOCTYPE or entity declaration is not needed for plain SVG graphics
+		// and is a common XXE / entity-expansion vector. Reject such documents.
+		if (preg_match('/<!DOCTYPE|<!ENTITY/i', $svg) === 1) {
+			return '';
+		}
+
+		$dom = new DOMDocument();
+		$previousErrors = libxml_use_internal_errors(true);
+		// LIBXML_NONET forbids any network access while parsing.
+		$loaded = $dom->loadXML($svg, LIBXML_NONET);
+		libxml_clear_errors();
+		libxml_use_internal_errors($previousErrors);
+
+		if (!$loaded || $dom->documentElement === null) {
+			return '';
+		}
+
+		$xpath = new DOMXPath($dom);
+
+		// Remove dangerous elements. Matching on the local name catches them
+		// regardless of any namespace prefix (e.g. <x:script>).
+		foreach (self::FORBIDDEN_ELEMENTS as $tag) {
+			$nodes = $xpath->query('//*[local-name() = "' . $tag . '"]');
+			if ($nodes !== false) {
+				foreach (iterator_to_array($nodes) as $node) {
+					$node->parentNode?->removeChild($node);
+				}
+			}
+		}
+
+		$elements = $xpath->query('//*');
+		if ($elements !== false) {
+			foreach ($elements as $element) {
+				if ($element instanceof DOMElement) {
+					$this->stripDangerousAttributes($element);
+				}
+			}
+		}
+
+		$result = $dom->saveXML($dom->documentElement);
+		return $result === false ? '' : $result;
+	}
+
+	private function stripDangerousAttributes(DOMElement $element): void {
+		/** @var DOMAttr $attribute */
+		foreach (iterator_to_array($element->attributes) as $attribute) {
+			$name = strtolower($attribute->nodeName);
+			$value = trim($attribute->nodeValue ?? '');
+
+			// Inline event handlers (onload, onclick, …).
+			if (str_starts_with($name, 'on')) {
+				$element->removeAttributeNode($attribute);
+				continue;
+			}
+
+			// Only allow same-document references; strip javascript:, external
+			// and data: URLs from links and resource references.
+			if (in_array($name, ['href', 'xlink:href'], true) && !str_starts_with($value, '#')) {
+				$element->removeAttributeNode($attribute);
+			}
+		}
+	}
+}
diff --git a/src/ckeditor/image/ImageDropdownPlugin.js b/src/ckeditor/image/ImageDropdownPlugin.js
index be695d8b58..51bf3d16a2 100644
--- a/src/ckeditor/image/ImageDropdownPlugin.js
+++ b/src/ckeditor/image/ImageDropdownPlugin.js
@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+import folderIcon from '@mdi/svg/svg/folder-image.svg?raw'
 import imageIcon from '@mdi/svg/svg/image.svg?raw'
 import linkIcon from '@mdi/svg/svg/link-variant.svg?raw'
 import uploadIcon from '@mdi/svg/svg/upload.svg?raw'
@@ -10,9 +11,10 @@ import { translate as t } from '@nextcloud/l10n'
 import { ButtonView, createDropdown, Plugin } from 'ckeditor5'
 
 /**
- * Toolbar dropdown to insert an image, offering two options: uploading a file
- * from the computer or fetching one by URL. Both options only fire an event;
- * the surrounding Vue component (TextEditor) performs the actual work.
+ * Toolbar dropdown to insert an image, offering three options: uploading a file
+ * from the computer, picking one from the Nextcloud files, or fetching one by
+ * URL. Each option only fires an event; the surrounding Vue component
+ * (TextEditor) performs the actual work.
  */
 export default class ImageDropdownPlugin extends Plugin {
 	init() {
@@ -26,27 +28,29 @@ export default class ImageDropdownPlugin extends Plugin {
 				tooltip: true,
 			})
 
-			const uploadButton = this._createActionButton(
+			const fire = (event) => () => {
+				dropdown.isOpen = false
+				editor.fire(event)
+			}
+
+			dropdown.panelView.children.add(this._createActionButton(
 				locale,
 				t('mail', 'Upload from computer'),
 				uploadIcon,
-				() => {
-					dropdown.isOpen = false
-					editor.fire('mail:uploadImageFromComputer')
-				},
-			)
-			const urlButton = this._createActionButton(
+				fire('mail:uploadImageFromComputer'),
+			))
+			dropdown.panelView.children.add(this._createActionButton(
+				locale,
+				t('mail', 'Insert with file manager'),
+				folderIcon,
+				fire('mail:insertImageFromFiles'),
+			))
+			dropdown.panelView.children.add(this._createActionButton(
 				locale,
 				t('mail', 'Insert via URL'),
 				linkIcon,
-				() => {
-					dropdown.isOpen = false
-					editor.fire('mail:insertImageFromUrl')
-				},
-			)
-
-			dropdown.panelView.children.add(uploadButton)
-			dropdown.panelView.children.add(urlButton)
+				fire('mail:insertImageFromUrl'),
+			))
 
 			return dropdown
 		})
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 01a11a978d..30a05caaa5 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -39,12 +39,21 @@
 				:disabled="imageUrlLoading"
 				@keydown.enter.prevent="insertImageFromUrl" />
 		</NcDialog>
+
+		<FilePicker
+			v-if="imageFilePickerOpen"
+			:name="t('mail', 'Choose an image')"
+			:buttons="imageFilePickerButtons"
+			:multiselect="false"
+			:mimetype-filter="['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/webp', 'image/svg+xml']"
+			@close="() => imageFilePickerOpen = false" />
 	</div>
 </template>
 
 <script>
 import CKEditor from '@ckeditor/ckeditor5-vue2'
 import { showError } from '@nextcloud/dialogs'
+import { FilePickerVue as FilePicker } from '@nextcloud/dialogs/filepicker.js'
 import { getLanguage } from '@nextcloud/l10n'
 import { emojiAddRecent, emojiSearch, NcDialog, NcTextField } from '@nextcloud/vue'
 import {
@@ -61,9 +70,11 @@ import {
 	Heading,
 	Image,
 	ImageResize,
+	ImageToolbar,
 	ImageUpload,
 	Italic,
 	Link,
+	LinkImage,
 	List,
 	Mention,
 	Paragraph,
@@ -81,6 +92,7 @@ import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
 import PickerPlugin from '../ckeditor/smartpicker/PickerPlugin.js'
+import { getClient } from '../dav/client.js'
 import logger from '../logger.js'
 import { autoCompleteByName } from '../service/ContactIntegrationService.js'
 import { fetchImageAsDataUri } from '../service/ImageProxyService.js'
@@ -88,10 +100,28 @@ import { Text, toPlain } from '../util/text.js'
 
 import 'ckeditor5/ckeditor5.css'
 
+const IMAGE_FILE_SIZE_LIMIT = 10 * 1024 * 1024
+
+/**
+ * Read a Blob as a data: URI.
+ *
+ * @param {Blob} blob the blob to read
+ * @return {Promise<string>} the data URI
+ */
+function readBlobAsDataUri(blob) {
+	return new Promise((resolve, reject) => {
+		const reader = new FileReader()
+		reader.onload = () => resolve(reader.result)
+		reader.onerror = () => reject(reader.error)
+		reader.readAsDataURL(blob)
+	})
+}
+
 export default {
 	name: 'TextEditor',
 	components: {
 		Ckeditor: CKEditor.component,
+		FilePicker,
 		NcDialog,
 		NcTextField,
 	},
@@ -176,6 +206,8 @@ export default {
 				Image,
 				ImageUpload,
 				ImageResize,
+				ImageToolbar,
+				LinkImage,
 				ImageDropdownPlugin,
 				Font,
 				RemoveFormat,
@@ -218,6 +250,14 @@ export default {
 			imageUrlDialogOpen: false,
 			imageUrl: '',
 			imageUrlLoading: false,
+			imageFilePickerOpen: false,
+			imageFilePickerButtons: [
+				{
+					label: t('mail', 'Choose'),
+					type: 'primary',
+					callback: this.onImageFilesPicked,
+				},
+			],
 			sourceEditingInputHandler: null,
 			sourceEditingModeHandler: null,
 			sourceEditingDebounceTimer: null,
@@ -236,6 +276,24 @@ export default {
 					// translate predictably and are normalised to width/height
 					// attributes when the message is sent.
 					resizeUnit: 'px',
+					// Insert images inline so they live inside a paragraph. This makes
+					// them left-aligned by default and lets the regular text-alignment
+					// buttons move them left/center/right (which is e-mail compatible).
+					insert: {
+						type: 'inline',
+					},
+					resizeOptions: [
+						{ name: 'resizeImage:original', value: null, label: t('mail', 'Original size') },
+						{ name: 'resizeImage:small', value: '150', label: t('mail', 'Small') },
+						{ name: 'resizeImage:medium', value: '300', label: t('mail', 'Medium') },
+						{ name: 'resizeImage:large', value: '500', label: t('mail', 'Large') },
+					],
+					toolbar: [
+						'imageTextAlternative',
+						'linkImage',
+						'|',
+						'resizeImage',
+					],
 					upload: {
 						// Defaults plus SVG so vector logos can be uploaded as well.
 						types: ['jpeg', 'png', 'gif', 'bmp', 'webp', 'tiff', 'svg+xml'],
@@ -661,6 +719,9 @@ export default {
 				editor.on('mail:uploadImageFromComputer', () => {
 					this.$refs.imageFileInput?.click()
 				})
+				editor.on('mail:insertImageFromFiles', () => {
+					this.imageFilePickerOpen = true
+				})
 			}
 
 			this.bus.on('append-to-body-at-cursor', this.appendToBodyAtCursor)
@@ -715,6 +776,29 @@ export default {
 			event.target.value = ''
 		},
 
+		async onImageFilesPicked(nodes) {
+			this.imageFilePickerOpen = false
+			const node = Array.isArray(nodes) ? nodes[0] : nodes
+			if (!node?.path) {
+				return
+			}
+
+			try {
+				if (node.size > IMAGE_FILE_SIZE_LIMIT) {
+					showError(t('mail', 'The selected image is too large to embed'))
+					return
+				}
+				const content = await getClient('files').getFileContents(node.path, { format: 'binary' })
+				const blob = new Blob([content], { type: node.mime || 'application/octet-stream' })
+				const dataUri = await readBlobAsDataUri(blob)
+				this.editorInstance.execute('insertImage', { source: dataUri })
+				this.editorInstance.editing.view.focus()
+			} catch (error) {
+				logger.error('Could not insert image from files', { error })
+				showError(t('mail', 'Could not insert the selected image'))
+			}
+		},
+
 		editorExecute(commandName, ...args) {
 			if (this.editorInstance) {
 				this.editorInstance.execute(commandName, ...args)
diff --git a/tests/Unit/Controller/ImageProxyControllerTest.php b/tests/Unit/Controller/ImageProxyControllerTest.php
index 965b3d211b..98ec0b8b94 100644
--- a/tests/Unit/Controller/ImageProxyControllerTest.php
+++ b/tests/Unit/Controller/ImageProxyControllerTest.php
@@ -11,6 +11,7 @@
 
 use ChristophWurst\Nextcloud\Testing\TestCase;
 use OCA\Mail\Controller\ImageProxyController;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Files\IMimeTypeDetector;
@@ -36,6 +37,9 @@ class ImageProxyControllerTest extends TestCase {
 	/** @var IMimeTypeDetector|MockObject */
 	private $mimeTypeDetector;
 
+	/** @var SvgSanitizer|MockObject */
+	private $svgSanitizer;
+
 	/** @var ImageProxyController */
 	private $controller;
 
@@ -46,12 +50,14 @@ protected function setUp(): void {
 		$this->clientService = $this->createMock(IClientService::class);
 		$this->remoteHostValidator = $this->createMock(IRemoteHostValidator::class);
 		$this->mimeTypeDetector = $this->createMock(IMimeTypeDetector::class);
+		$this->svgSanitizer = $this->createMock(SvgSanitizer::class);
 		$this->controller = new ImageProxyController(
 			'mail',
 			$this->request,
 			$this->clientService,
 			$this->remoteHostValidator,
 			$this->mimeTypeDetector,
+			$this->svgSanitizer,
 			new NullLogger(),
 		);
 	}
@@ -153,6 +159,8 @@ public function testFetchSniffsSvgMisdetectedAsText(): void {
 			->willReturn($client);
 		$this->mimeTypeDetector->method('detectString')
 			->willReturn('text/xml');
+		$this->svgSanitizer->method('sanitize')
+			->willReturnArgument(0);
 
 		$response = $this->controller->fetch('https://example.com/logo.svg');
 
@@ -163,9 +171,9 @@ public function testFetchSniffsSvgMisdetectedAsText(): void {
 		);
 	}
 
-	public function testFetchStripsScriptsFromSvg(): void {
-		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect onload="x()"/></svg>';
-		$sanitized = '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+	public function testFetchSanitizesSvg(): void {
+		$svg = '<svg onload="x()"><rect/></svg>';
+		$sanitized = '<svg><rect/></svg>';
 		$this->remoteHostValidator->method('isValid')
 			->willReturn(true);
 		$httpResponse = $this->createMock(IResponse::class);
@@ -178,6 +186,10 @@ public function testFetchStripsScriptsFromSvg(): void {
 			->willReturn($client);
 		$this->mimeTypeDetector->method('detectString')
 			->willReturn('image/svg+xml');
+		$this->svgSanitizer->expects(self::once())
+			->method('sanitize')
+			->with($svg)
+			->willReturn($sanitized);
 
 		$response = $this->controller->fetch('https://example.com/logo.svg');
 
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index db62a51e8f..1940a11ad6 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -17,6 +17,7 @@
 use OCA\Mail\Model\NewMessageData;
 use OCA\Mail\Service\DataUri\DataUriParser;
 use OCA\Mail\Service\MimeMessage;
+use OCA\Mail\Service\SvgSanitizer;
 
 class MimeMessageTest extends TestCase {
 	private DataUriParser $uriParser;
@@ -27,7 +28,7 @@ protected function setUp(): void {
 		parent::setUp();
 
 		$this->uriParser = new DataUriParser();
-		$this->mimeMessage = new MimeMessage($this->uriParser);
+		$this->mimeMessage = new MimeMessage($this->uriParser, new SvgSanitizer());
 		$this->account = new Account(new MailAccount());
 	}
 
@@ -448,6 +449,29 @@ public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
 		$this->assertStringNotContainsString('width="', $htmlBody);
 	}
 
+	public function testSanitizesInlineSvg(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect width="10" height="10"/></svg>';
+		$html = '<p><img src="data:image/svg+xml;base64,' . base64_encode($svg) . '"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		$this->assertEquals('multipart/related', $part->getType());
+
+		/** @var Horde_Mime_Part[] $relatedSubParts */
+		$relatedSubParts = $part->getParts();
+		$svgPart = $relatedSubParts[1];
+		$this->assertEquals('image/svg+xml', $svgPart->getType());
+
+		$sanitized = base64_decode($svgPart->getContents());
+		$this->assertStringNotContainsString('<script', $sanitized);
+		$this->assertStringContainsString('<rect', $sanitized);
+	}
+
 	private function createAttachmentPart(string $name, string $content, string $mime, string $disposition): Horde_Mime_Part {
 		$part = new Horde_Mime_Part();
 		$part->setCharset('us-ascii');
diff --git a/tests/Unit/Service/SvgSanitizerTest.php b/tests/Unit/Service/SvgSanitizerTest.php
new file mode 100644
index 0000000000..f4d576a9e9
--- /dev/null
+++ b/tests/Unit/Service/SvgSanitizerTest.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Service;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Service\SvgSanitizer;
+
+class SvgSanitizerTest extends TestCase {
+	private SvgSanitizer $sanitizer;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->sanitizer = new SvgSanitizer();
+	}
+
+	public function testRemovesScript(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('<script', $result);
+		$this->assertStringContainsString('<rect', $result);
+	}
+
+	public function testRemovesEventHandlers(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><rect onload="evil()" width="10"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('onload', $result);
+		$this->assertStringContainsString('width="10"', $result);
+	}
+
+	public function testRemovesExternalReference(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">'
+			. '<a xlink:href="https://evil.example"><rect/></a></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('evil.example', $result);
+		$this->assertStringContainsString('<rect', $result);
+	}
+
+	public function testKeepsSameDocumentReference(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">'
+			. '<use xlink:href="#icon"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringContainsString('#icon', $result);
+	}
+
+	public function testRejectsDoctypeAndEntities(): void {
+		$svg = '<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>'
+			. '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+
+		$this->assertSame('', $this->sanitizer->sanitize($svg));
+	}
+
+	public function testReturnsEmptyForInvalidMarkup(): void {
+		$this->assertSame('', $this->sanitizer->sanitize('this is not <<< svg'));
+		$this->assertSame('', $this->sanitizer->sanitize(''));
+	}
+
+	public function testKeepsSafeGraphics(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 10 10">'
+			. '<circle cx="5" cy="5" r="4" fill="red"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringContainsString('<circle', $result);
+		$this->assertStringContainsString('fill="red"', $result);
+	}
+}

From fad4d171665c0b99de6137cdfa5df52d02d544c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sat, 20 Jun 2026 21:49:30 +0200
Subject: [PATCH 04/11] feat(composer): image-specific alignment, block images
 & email-safe rendering
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make image alignment a property of the image (CKEditor image styles shown in
the balloon toolbar next to the link option) instead of the surrounding
paragraph, so changing it no longer reflows nearby text. Switch to block images
so paragraphs can be inserted before/after an image and the text-formatting
tools disable while an image is selected. Hide the "displayed text" field when
linking an image and balance the insert-image dropdown spacing.

On send, translate the editor's alignment classes into inline text-align styles
and mirror block-image resize widths (stored on the wrapping figure) onto the
width/height attributes, so other mail clients render alignment and size
correctly.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Service/MimeMessage.php               | 49 ++++++++++++++++++-
 src/ckeditor/image/ImageDropdownPlugin.js |  1 +
 src/ckeditor/image/ImageLinkFormPlugin.js | 53 ++++++++++++++++++++
 src/components/TextEditor.vue             | 59 +++++++++++++++++++++--
 tests/Unit/Service/MimeMessageTest.php    | 49 +++++++++++++++++++
 5 files changed, 205 insertions(+), 6 deletions(-)
 create mode 100644 src/ckeditor/image/ImageLinkFormPlugin.js

diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index 507638e864..a0d153188f 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -85,6 +85,7 @@ private function buildMessagePart(?string $contentPlain, ?string $contentHtml, a
 			array_push($inlineAttachments, ...$this->extractDataUriImages($doc));
 			$this->rewriteSrcToCid($doc);
 			$this->normalizeImageDimensions($doc);
+			$this->normalizeImageAlignment($doc);
 			$htmlContent = $doc->saveHTML();
 
 			$htmlPart = new Horde_Mime_Part();
@@ -209,8 +210,16 @@ private function normalizeImageDimensions(DOMDocument $doc): void {
 				continue;
 			}
 
-			$style = $image->getAttribute('style');
-			if ($style === '' || preg_match('/(?<![-\w])width:\s*([\d.]+)px/i', $style, $widthMatch) !== 1) {
+			// The editor stores the resize width as inline CSS. For inline images
+			// it lives on the <img>; for block images it lives on the wrapping
+			// <figure> while the aspect ratio stays on the <img>. Inspect both.
+			$parent = $image->parentNode;
+			$figureStyle = ($parent instanceof DOMElement && strtolower($parent->tagName) === 'figure')
+				? $parent->getAttribute('style')
+				: '';
+			$style = $image->getAttribute('style') . ';' . $figureStyle;
+
+			if (preg_match('/(?<![-\w])width:\s*([\d.]+)px/i', $style, $widthMatch) !== 1) {
 				continue;
 			}
 
@@ -235,6 +244,42 @@ private function normalizeImageDimensions(DOMDocument $doc): void {
 		}
 	}
 
+	/**
+	 * Translates the editor's image-alignment classes into an inline text-align
+	 * style on the wrapping <figure>. Those classes rely on the editor's own
+	 * stylesheet, which recipients do not load; aligning the (inline) image via
+	 * text-align on its block wrapper is honoured by virtually every mail client.
+	 * The unstyled, left-aligned default needs no rewriting.
+	 */
+	private function normalizeImageAlignment(DOMDocument $doc): void {
+		$alignments = [
+			'image-style-block-align-left' => 'left',
+			'image-style-align-center' => 'center',
+			'image-style-block-align-right' => 'right',
+		];
+
+		foreach ($doc->getElementsByTagName('figure') as $figure) {
+			if (!($figure instanceof DOMElement)) {
+				continue;
+			}
+
+			$classes = $figure->getAttribute('class');
+			if ($classes === '') {
+				continue;
+			}
+
+			foreach ($alignments as $class => $align) {
+				if (!str_contains($classes, $class)) {
+					continue;
+				}
+
+				$style = rtrim(trim($figure->getAttribute('style')), ';');
+				$figure->setAttribute('style', ($style === '' ? '' : $style . '; ') . 'text-align: ' . $align);
+				break;
+			}
+		}
+	}
+
 	/**
 	 * Rewrites src attributes of img elements that carry a data-cid attribute
 	 * back to their cid: reference, as required by the MIME structure for
diff --git a/src/ckeditor/image/ImageDropdownPlugin.js b/src/ckeditor/image/ImageDropdownPlugin.js
index 51bf3d16a2..bf805c3ee4 100644
--- a/src/ckeditor/image/ImageDropdownPlugin.js
+++ b/src/ckeditor/image/ImageDropdownPlugin.js
@@ -22,6 +22,7 @@ export default class ImageDropdownPlugin extends Plugin {
 
 		editor.ui.componentFactory.add('imageDropdown', (locale) => {
 			const dropdown = createDropdown(locale)
+			dropdown.class = 'mail-image-insert-dropdown'
 			dropdown.buttonView.set({
 				label: t('mail', 'Insert image'),
 				icon: imageIcon,
diff --git a/src/ckeditor/image/ImageLinkFormPlugin.js b/src/ckeditor/image/ImageLinkFormPlugin.js
new file mode 100644
index 0000000000..0861d73091
--- /dev/null
+++ b/src/ckeditor/image/ImageLinkFormPlugin.js
@@ -0,0 +1,53 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { Plugin } from 'ckeditor5'
+
+/**
+ * Adjusts the link form when it is opened for an image. An image link has no
+ * "displayed text" (the image itself is the link content), so that input is
+ * hidden to avoid confusion. Dismissing the link balloon while the image stays
+ * selected returns to the image toolbar, which gives the same "back to the
+ * image menu" navigation as the text-alternative form.
+ *
+ * The implementation only reads CKEditor's public API and toggles a DOM style;
+ * if a future version renames the form pieces it simply does nothing.
+ */
+export default class ImageLinkFormPlugin extends Plugin {
+	static get requires() {
+		return ['LinkUI']
+	}
+
+	static get pluginName() {
+		return 'ImageLinkFormPlugin'
+	}
+
+	init() {
+		const editor = this.editor
+
+		if (!editor.plugins.has('ContextualBalloon')) {
+			return
+		}
+
+		const linkUI = editor.plugins.get('LinkUI')
+		const balloon = editor.plugins.get('ContextualBalloon')
+
+		balloon.on('change:visibleView', () => {
+			const formView = linkUI.formView
+			const displayedText = formView?.displayedTextInputView
+			if (!displayedText?.element || balloon.visibleView !== formView) {
+				return
+			}
+
+			const imageUtils = editor.plugins.has('ImageUtils')
+				? editor.plugins.get('ImageUtils')
+				: null
+			const isOnImage = !!imageUtils?.getClosestSelectedImageElement(
+				editor.model.document.selection,
+			)
+			displayedText.element.style.display = isOnImage ? 'none' : ''
+		})
+	}
+}
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 30a05caaa5..5952f944af 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -70,6 +70,7 @@ import {
 	Heading,
 	Image,
 	ImageResize,
+	ImageStyle,
 	ImageToolbar,
 	ImageUpload,
 	Italic,
@@ -88,6 +89,7 @@ import {
 import { getLinkWithPicker, searchProvider } from '@nextcloud/vue/components/NcRichText'
 import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
 import ImageDropdownPlugin from '../ckeditor/image/ImageDropdownPlugin.js'
+import ImageLinkFormPlugin from '../ckeditor/image/ImageLinkFormPlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
@@ -206,9 +208,11 @@ export default {
 				Image,
 				ImageUpload,
 				ImageResize,
+				ImageStyle,
 				ImageToolbar,
 				LinkImage,
 				ImageDropdownPlugin,
+				ImageLinkFormPlugin,
 				Font,
 				RemoveFormat,
 				Base64UploadAdapter,
@@ -276,11 +280,19 @@ export default {
 					// translate predictably and are normalised to width/height
 					// attributes when the message is sent.
 					resizeUnit: 'px',
-					// Insert images inline so they live inside a paragraph. This makes
-					// them left-aligned by default and lets the regular text-alignment
-					// buttons move them left/center/right (which is e-mail compatible).
+					// Insert images as block widgets. This keeps alignment a property of
+					// the image itself (instead of the paragraph it lives in), lets the
+					// user add paragraphs before/after the image, and disables the text
+					// formatting buttons while an image is selected.
 					insert: {
-						type: 'inline',
+						type: 'block',
+					},
+					styles: {
+						// Image-specific alignment so changing it never reflows the
+						// surrounding text. The unstyled state is left-aligned (see the
+						// editor CSS) and is the e-mail-safe default; the explicit classes
+						// are turned into inline styles when the message is sent.
+						options: ['alignBlockLeft', 'alignCenter', 'alignBlockRight'],
 					},
 					resizeOptions: [
 						{ name: 'resizeImage:original', value: null, label: t('mail', 'Original size') },
@@ -289,6 +301,17 @@ export default {
 						{ name: 'resizeImage:large', value: '500', label: t('mail', 'Large') },
 					],
 					toolbar: [
+						{
+							name: 'imageStyle:alignment',
+							title: t('mail', 'Align image'),
+							items: [
+								'imageStyle:alignBlockLeft',
+								'imageStyle:alignCenter',
+								'imageStyle:alignBlockRight',
+							],
+							defaultItem: 'imageStyle:alignBlockLeft',
+						},
+						'|',
 						'imageTextAlternative',
 						'linkImage',
 						'|',
@@ -869,6 +892,13 @@ export default {
 	margin: 0 !important;
 }
 
+/* Block images are centred by CKEditor's default stylesheet. Left-align the
+   unstyled state so it matches both the e-mail-safe default and the explicit
+   "align left" option; centring/right alignment stay opt-in via the toolbar. */
+:deep(.ck-content .image:not([class*='image-style'])) {
+	margin-inline: 0 auto;
+}
+
 .image-file-input {
 	display: none;
 }
@@ -1066,6 +1096,27 @@ https://github.com/ckeditor/ckeditor5/issues/1142
 	border-radius: var(--border-radius-large) !important;
 }
 
+/* Size the "Insert image" dropdown to its labels so it stays usable in narrow
+   containers too (e.g. the signature editor inside the settings dialog). */
+.mail-image-insert-dropdown .ck-dropdown__panel {
+	min-width: max-content;
+}
+
+/* Balance the padding of the "Insert image" dropdown entries: the icon should
+   sit a comfortable distance from the left edge and the label should not leave
+   a large empty gap on the right. */
+.mail-image-insert-dropdown .ck-dropdown__panel .ck-button {
+	display: flex;
+	width: 100%;
+	justify-content: flex-start;
+	padding-inline: var(--default-grid-baseline, 4px);
+}
+
+.mail-image-insert-dropdown .ck-dropdown__panel .ck-button .ck-button__label {
+	padding-inline-start: var(--default-grid-baseline, 4px);
+	padding-inline-end: var(--default-grid-baseline, 4px);
+}
+
 /* Needs to be set to flex, bececause else it breaks the toolbar - it is shown in 2 lines instead of 1 */
 .ck.ck-splitbutton.ck-dropdown__button{
 	display: flex !important;
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index 1940a11ad6..43bea56037 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -433,6 +433,23 @@ public function testNormalizeImageDimensions(): void {
 		$this->assertStringContainsString('height="100"', $htmlBody);
 	}
 
+	public function testNormalizeImageDimensionsFromFigure(): void {
+		$html = '<figure class="image image_resized" style="width:200px;"><img src="https://example.com/logo.png" style="aspect-ratio:2/1;"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="200"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
 	public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
 		$html = '<p><img src="https://example.com/logo.png" style="width:50%;"></p>';
 
@@ -449,6 +466,38 @@ public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
 		$this->assertStringNotContainsString('width="', $htmlBody);
 	}
 
+	public function testNormalizeImageAlignment(): void {
+		$html = '<figure class="image image-style-align-center"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('text-align: center', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentLeavesDefaultUntouched(): void {
+		$html = '<figure class="image"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringNotContainsString('text-align', $htmlBody);
+	}
+
 	public function testSanitizesInlineSvg(): void {
 		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect width="10" height="10"/></svg>';
 		$html = '<p><img src="data:image/svg+xml;base64,' . base64_encode($svg) . '"></p>';

From 2f83522b3b207ec3b673aedfcf020b6f4a96f394 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sat, 20 Jun 2026 22:23:33 +0200
Subject: [PATCH 05/11] fix(composer): tidy image toolbar and fix image editing
 in signature settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 src/ckeditor/image/ImageAlignmentPlugin.js | 69 ++++++++++++++++++++++
 src/components/TextEditor.vue              | 22 ++++---
 2 files changed, 79 insertions(+), 12 deletions(-)
 create mode 100644 src/ckeditor/image/ImageAlignmentPlugin.js

diff --git a/src/ckeditor/image/ImageAlignmentPlugin.js b/src/ckeditor/image/ImageAlignmentPlugin.js
new file mode 100644
index 0000000000..60bd8f2e8e
--- /dev/null
+++ b/src/ckeditor/image/ImageAlignmentPlugin.js
@@ -0,0 +1,69 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import alignCenterIcon from '@mdi/svg/svg/format-align-center.svg?raw'
+import alignLeftIcon from '@mdi/svg/svg/format-align-left.svg?raw'
+import alignRightIcon from '@mdi/svg/svg/format-align-right.svg?raw'
+import { translate as t } from '@nextcloud/l10n'
+import { addToolbarToDropdown, createDropdown, Plugin } from 'ckeditor5'
+
+const ALIGNMENT_BUTTONS = [
+	'imageStyle:alignBlockLeft',
+	'imageStyle:alignCenter',
+	'imageStyle:alignBlockRight',
+]
+
+/**
+ * Registers an "imageAlignment" toolbar item that groups the image alignment
+ * options into a single dropdown button — the whole button opens the menu,
+ * exactly like the text-alignment dropdown. CKEditor's built-in image-style
+ * grouping renders a split button instead (with a separately hoverable arrow),
+ * which is what this plugin replaces.
+ */
+export default class ImageAlignmentPlugin extends Plugin {
+	static get pluginName() {
+		return 'ImageAlignmentPlugin'
+	}
+
+	init() {
+		const editor = this.editor
+		const factory = editor.ui.componentFactory
+
+		factory.add('imageAlignment', (locale) => {
+			const dropdown = createDropdown(locale)
+			const buttons = ALIGNMENT_BUTTONS.map((name) => factory.create(name))
+
+			addToolbarToDropdown(dropdown, buttons, {
+				enableActiveItemFocusOnDropdownOpen: true,
+			})
+
+			dropdown.buttonView.set({
+				label: t('mail', 'Align image'),
+				icon: alignLeftIcon,
+				tooltip: true,
+			})
+
+			// Reflect the current alignment on the toolbar button, like the text
+			// alignment dropdown does.
+			const command = editor.commands.get('imageStyle')
+			if (command) {
+				dropdown.buttonView.bind('icon').to(command, 'value', (value) => {
+					if (value === 'alignCenter') {
+						return alignCenterIcon
+					}
+					if (value === 'alignBlockRight') {
+						return alignRightIcon
+					}
+					return alignLeftIcon
+				})
+			}
+
+			// Only enable the dropdown while an alignment option is available.
+			dropdown.bind('isEnabled').toMany(buttons, 'isEnabled', (...enabled) => enabled.some(Boolean))
+
+			return dropdown
+		})
+	}
+}
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 5952f944af..1b4d1c8db0 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -88,6 +88,7 @@ import {
 } from 'ckeditor5'
 import { getLinkWithPicker, searchProvider } from '@nextcloud/vue/components/NcRichText'
 import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
+import ImageAlignmentPlugin from '../ckeditor/image/ImageAlignmentPlugin.js'
 import ImageDropdownPlugin from '../ckeditor/image/ImageDropdownPlugin.js'
 import ImageLinkFormPlugin from '../ckeditor/image/ImageLinkFormPlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
@@ -212,6 +213,7 @@ export default {
 				ImageToolbar,
 				LinkImage,
 				ImageDropdownPlugin,
+				ImageAlignmentPlugin,
 				ImageLinkFormPlugin,
 				Font,
 				RemoveFormat,
@@ -301,19 +303,9 @@ export default {
 						{ name: 'resizeImage:large', value: '500', label: t('mail', 'Large') },
 					],
 					toolbar: [
-						{
-							name: 'imageStyle:alignment',
-							title: t('mail', 'Align image'),
-							items: [
-								'imageStyle:alignBlockLeft',
-								'imageStyle:alignCenter',
-								'imageStyle:alignBlockRight',
-							],
-							defaultItem: 'imageStyle:alignBlockLeft',
-						},
+						'imageAlignment',
 						'|',
 						'imageTextAlternative',
-						'linkImage',
 						'|',
 						'resizeImage',
 					],
@@ -735,7 +727,13 @@ export default {
 			}
 
 			if (this.html) {
-				this.addToFocusTrap('.ck-body-wrapper')
+				// Exempt CKEditor's balloon container (image toolbar, link form,
+				// mention lists, …) from the surrounding modal's focus trap so it
+				// can be interacted with. The account-settings dialog resolves trap
+				// elements differently from the composer modal, so register the
+				// resolved node — accepted by both — rather than a selector string.
+				const ckBodyWrapper = document.querySelector('.ck-body-wrapper')
+				this.addToFocusTrap(ckBodyWrapper || '.ck-body-wrapper')
 				editor.on('mail:insertImageFromUrl', () => {
 					this.imageUrlDialogOpen = true
 				})

From aab36f82ff24773eae700fce981d8fd8afcae0cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 14:49:34 +0200
Subject: [PATCH 06/11] fix(settings): mount account-settings dialog at app
 root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NcModal relocates its dialog to <body> on mount, but declaring
AccountSettings inside the frequently re-rendering navigation moved it
back into the scrollable, overflow-clipped sidebar. CKEditor's
Rect.getVisible() then clipped the editor content against the narrow
sidebar and treated it as invisible, so getOptimalPosition() returned
null and every balloon (image toolbar, link form) was parked off-screen
at -99999. Render a single store-driven AccountSettings at the stable
app root instead, matching how the composer is mounted, and drop the
now-unused per-account settings getters.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 src/components/NavigationAccount.vue | 14 ----------
 src/store/mainStore/actions.js       |  9 ------
 src/views/Home.vue                   | 41 +++++++++++++++++++++++++++-
 3 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/src/components/NavigationAccount.vue b/src/components/NavigationAccount.vue
index 0d9b24706e..567154de82 100644
--- a/src/components/NavigationAccount.vue
+++ b/src/components/NavigationAccount.vue
@@ -96,11 +96,6 @@
 				</template>
 			</template>
 		</NcAppNavigationCaption>
-		<AccountSettings
-			:open="showSettings"
-			:account="account"
-			:scroll-to-section="showSettingsSection"
-			@update:open="showAccountSettings($event)" />
 		<DelegationModal v-if="showDelegationModal" :account="account" @close="showDelegationModal = false" />
 	</Fragment>
 </template>
@@ -132,7 +127,6 @@ export default {
 		ActionCheckbox,
 		ActionInput,
 		ActionText,
-		AccountSettings: () => import(/* webpackChunkName: "account-settings" */ './AccountSettings.vue'),
 		DelegationModal: () => import(/* webpackChunkName: "delegation-modal" */ './DelegationModal.vue'),
 		IconInfo,
 		IconSettings,
@@ -193,14 +187,6 @@ export default {
 
 	computed: {
 		...mapStores(useMainStore),
-		showSettings() {
-			return this.mainStore.showSettingsForAccount(this.account.id)
-		},
-
-		showSettingsSection() {
-			return this.mainStore.showSettingsSectionForAccount(this.account.id)
-		},
-
 		visible() {
 			return this.account.isUnified !== true && this.account.visible !== false
 		},
diff --git a/src/store/mainStore/actions.js b/src/store/mainStore/actions.js
index 58579dcd53..588bb7a30e 100644
--- a/src/store/mainStore/actions.js
+++ b/src/store/mainStore/actions.js
@@ -2503,15 +2503,6 @@ export default function mainStoreActions() {
 		getInbox(accountId) {
 			return this.findMailboxBySpecialRole(accountId, 'inbox')
 		},
-		showSettingsForAccount(accountId) {
-			return this.showAccountSettings?.accountId === accountId
-		},
-		showSettingsSectionForAccount(accountId) {
-			if (this.showAccountSettings?.accountId !== accountId) {
-				return undefined
-			}
-			return this.showAccountSettings.section
-		},
 		getMyTextBlocks() {
 			return this.myTextBlocks
 		},
diff --git a/src/views/Home.vue b/src/views/Home.vue
index 56fad9e960..89ff8c6d68 100644
--- a/src/views/Home.vue
+++ b/src/views/Home.vue
@@ -15,6 +15,18 @@
 			<ComposerSessionIndicator @close="onCloseMessageModal" />
 			<NewMessageModal ref="newMessageModal" :accounts="accounts" />
 		</template>
+
+		<!-- Rendered here, at the stable app root, rather than inside the
+		     navigation: NcModal relocates the dialog to <body> on mount, but the
+		     frequently re-rendering navigation moves it back into the scrollable,
+		     overflow-clipped sidebar. CKEditor then considers its content clipped
+		     and parks every balloon (image toolbar, link form) off-screen. -->
+		<AccountSettings
+			v-if="settingsAccount"
+			:open="settingsOpen"
+			:account="settingsAccount"
+			:scroll-to-section="settingsSection"
+			@update:open="onCloseAccountSettings" />
 	</NcContent>
 </template>
 
@@ -38,6 +50,7 @@ export default {
 		MailboxThread,
 		Navigation,
 		NewMessageModal: () => import(/* webpackChunkName: "new-message-modal" */ '../components/NewMessageModal.vue'),
+		AccountSettings: () => import(/* webpackChunkName: "account-settings" */ '../components/AccountSettings.vue'),
 		Outbox,
 		ComposerSessionIndicator,
 	},
@@ -45,12 +58,17 @@ export default {
 	data() {
 		return {
 			hasComposerSession: false,
+			// The currently open account-settings dialog. The account is kept
+			// after closing so the dialog stays mounted for its out-transition.
+			settingsAccount: null,
+			settingsOpen: false,
+			settingsSection: undefined,
 		}
 	},
 
 	computed: {
 		...mapStores(useMainStore),
-		...mapState(useMainStore, ['composerSessionId']),
+		...mapState(useMainStore, ['composerSessionId', 'showAccountSettings']),
 		accounts() {
 			return this.mainStore.getAccounts.filter((a) => !a.isUnified)
 		},
@@ -82,6 +100,23 @@ export default {
 
 			this.hasComposerSession = true
 		},
+
+		showAccountSettings: {
+			immediate: true,
+			handler(settings) {
+				if (settings?.accountId) {
+					this.settingsAccount = this.mainStore.getAccount(settings.accountId)
+					this.settingsSection = settings.section
+					// Mount first (settingsAccount), then open on the next tick so the
+					// dialog's `open` watcher fires and runs its on-open side effects.
+					this.$nextTick(() => {
+						this.settingsOpen = true
+					})
+				} else {
+					this.settingsOpen = false
+				}
+			},
+		},
 	},
 
 	async beforeMount() {
@@ -172,6 +207,10 @@ export default {
 		async onCloseMessageModal() {
 			await this.$refs.newMessageModal.onClose()
 		},
+
+		onCloseAccountSettings() {
+			this.mainStore.showSettingsForAccountMutation(null)
+		},
 	},
 }
 

From bd313c49c1c5c67ceef912625e60ff5bac944346 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 17:32:07 +0200
Subject: [PATCH 07/11] fix(composer): sync resized dimensions onto linked
 images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

normalizeImageDimensions only inspected an image's direct parent for
the resize width, so a linked image (<figure><a><img></a></figure>)
kept its natural width/height and rendered at full size in clients
that drop inline CSS. Walk up to the figure ancestor instead.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Service/MimeMessage.php            | 18 +++++++++++++-----
 tests/Unit/Service/MimeMessageTest.php | 17 +++++++++++++++++
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index a0d153188f..7bcd680890 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -212,11 +212,19 @@ private function normalizeImageDimensions(DOMDocument $doc): void {
 
 			// The editor stores the resize width as inline CSS. For inline images
 			// it lives on the <img>; for block images it lives on the wrapping
-			// <figure> while the aspect ratio stays on the <img>. Inspect both.
-			$parent = $image->parentNode;
-			$figureStyle = ($parent instanceof DOMElement && strtolower($parent->tagName) === 'figure')
-				? $parent->getAttribute('style')
-				: '';
+			// <figure> while the aspect ratio stays on the <img>. A linked image
+			// is nested one level deeper (<figure><a><img></a></figure>), so walk
+			// up the ancestors to find the figure rather than only checking the
+			// direct parent. Inspect both the image's and the figure's style.
+			$figureStyle = '';
+			$ancestor = $image->parentNode;
+			while ($ancestor instanceof DOMElement) {
+				if (strtolower($ancestor->tagName) === 'figure') {
+					$figureStyle = $ancestor->getAttribute('style');
+					break;
+				}
+				$ancestor = $ancestor->parentNode;
+			}
 			$style = $image->getAttribute('style') . ';' . $figureStyle;
 
 			if (preg_match('/(?<![-\w])width:\s*([\d.]+)px/i', $style, $widthMatch) !== 1) {
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index 43bea56037..e00c41909b 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -450,6 +450,23 @@ public function testNormalizeImageDimensionsFromFigure(): void {
 		$this->assertStringContainsString('height="100"', $htmlBody);
 	}
 
+	public function testNormalizeImageDimensionsFromFigureWrappingLink(): void {
+		$html = '<figure class="image image_resized" style="width:200px;"><a href="https://example.com"><img src="https://example.com/logo.png" style="aspect-ratio:2/1;"></a></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="200"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
 	public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
 		$html = '<p><img src="https://example.com/logo.png" style="width:50%;"></p>';
 

From c25a64d3f5f8921119e18bf491134b5c7c795c72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 20:00:44 +0200
Subject: [PATCH 08/11] fix(composer): inline externally pasted images via the
 image proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Images pasted from a web page keep their external src, which the
editor CSP blocks, so they render as the alt-text placeholder. Fetch
them through the server-side image proxy and rewrite the src to a
data: URI so they display in the editor and are sent inline.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 src/ckeditor/image/ImagePastePlugin.js | 87 ++++++++++++++++++++++++++
 src/components/TextEditor.vue          |  2 +
 2 files changed, 89 insertions(+)
 create mode 100644 src/ckeditor/image/ImagePastePlugin.js

diff --git a/src/ckeditor/image/ImagePastePlugin.js b/src/ckeditor/image/ImagePastePlugin.js
new file mode 100644
index 0000000000..08ad470fcf
--- /dev/null
+++ b/src/ckeditor/image/ImagePastePlugin.js
@@ -0,0 +1,87 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { Plugin } from 'ckeditor5'
+import logger from '../../logger.js'
+import { fetchImageAsDataUri } from '../../service/ImageProxyService.js'
+
+const EXTERNAL_SRC = /^https?:\/\//i
+
+/**
+ * Inlines images that are pasted from another web page. Such images keep their
+ * original external `src`, which the editor's strict CSP refuses to load, so
+ * they render as the broken/alt-text placeholder. Fetching them through the
+ * server-side image proxy turns them into data: URIs that both display in the
+ * editor and are sent as inline attachments — exactly like the "insert image
+ * from URL" feature.
+ */
+export default class ImagePastePlugin extends Plugin {
+	static get pluginName() {
+		return 'ImagePastePlugin'
+	}
+
+	init() {
+		const model = this.editor.model
+
+		model.document.on('change:data', () => {
+			const images = []
+			for (const change of model.document.differ.getChanges()) {
+				if (change.type !== 'insert') {
+					continue
+				}
+				const node = change.position?.nodeAfter
+				if (node) {
+					this._collectExternalImages(node, images)
+				}
+			}
+
+			images.forEach((image) => this._inlineExternalImage(image))
+		})
+	}
+
+	/**
+	 * Recursively collects images with an external src from an inserted node.
+	 *
+	 * @param {module:engine/model/node~Node} node the inserted node to inspect
+	 * @param {Array} found accumulator of matching image elements
+	 * @private
+	 */
+	_collectExternalImages(node, found) {
+		if (!node.is?.('element')) {
+			return
+		}
+
+		const isImage = node.is('element', 'imageBlock') || node.is('element', 'imageInline')
+		if (isImage && EXTERNAL_SRC.test(node.getAttribute('src') ?? '')) {
+			found.push(node)
+		}
+
+		for (const child of node.getChildren()) {
+			this._collectExternalImages(child, found)
+		}
+	}
+
+	/**
+	 * Fetches an external image through the proxy and rewrites its src to the
+	 * returned data: URI. Runs asynchronously, so the model is re-checked before
+	 * the write in case the element was removed in the meantime.
+	 *
+	 * @param {module:engine/model/element~Element} image the image element
+	 * @private
+	 */
+	async _inlineExternalImage(image) {
+		const src = image.getAttribute('src')
+		try {
+			const dataUri = await fetchImageAsDataUri(src)
+			this.editor.model.change((writer) => {
+				if (image.root?.rootName && image.parent) {
+					writer.setAttribute('src', dataUri, image)
+				}
+			})
+		} catch (error) {
+			logger.error('Could not inline pasted image', { error, src })
+		}
+	}
+}
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 1b4d1c8db0..b7b47a8d17 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -91,6 +91,7 @@ import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
 import ImageAlignmentPlugin from '../ckeditor/image/ImageAlignmentPlugin.js'
 import ImageDropdownPlugin from '../ckeditor/image/ImageDropdownPlugin.js'
 import ImageLinkFormPlugin from '../ckeditor/image/ImageLinkFormPlugin.js'
+import ImagePastePlugin from '../ckeditor/image/ImagePastePlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
@@ -215,6 +216,7 @@ export default {
 				ImageDropdownPlugin,
 				ImageAlignmentPlugin,
 				ImageLinkFormPlugin,
+				ImagePastePlugin,
 				Font,
 				RemoveFormat,
 				Base64UploadAdapter,

From a55ceb20fb6875a2e13a608df9a2144a3a289372 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 20:46:46 +0200
Subject: [PATCH 09/11] fix(settings): respect the writing mode in the
 signature editor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The signature editor was always rich text, so a signature image was
mangled into a raw HTML object when the account's writing mode was plain
text. Several related problems are fixed together:

- Drive the signature editor's mode from the account's writing mode and
  re-encode the signature to the active format (HTML or plain text).
- Warn before switching from rich text to plain text, since that drops
  formatting, inline images and links — including those in the signature.
- Resolve the account-settings dialog's account reactively from the store
  instead of a one-time snapshot, so changes (e.g. the writing mode) are
  reflected live instead of only after reopening.
- Bind the writing-mode radios to the stored value and revert an
  unconfirmed native toggle, so the mode only changes once confirmed and
  cancelling no longer leaves the UI showing plain text.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 src/components/EditorSettings.vue    | 86 ++++++++++++++++++++++------
 src/components/SignatureSettings.vue | 38 ++++++++++--
 src/views/Home.vue                   | 16 ++++--
 3 files changed, 115 insertions(+), 25 deletions(-)

diff --git a/src/components/EditorSettings.vue b/src/components/EditorSettings.vue
index f8889b85e4..a6f22eff04 100644
--- a/src/components/EditorSettings.vue
+++ b/src/components/EditorSettings.vue
@@ -8,20 +8,24 @@
 		<p>
 			<input
 				id="plaintext"
-				v-model="mode"
+				ref="plaintext"
+				:name="radioGroupName"
 				type="radio"
 				class="radio"
-				value="plaintext">
-			<label :class="{ primary: mode === 'plaintext' }" for="plaintext">
+				:checked="account.editorMode === EDITOR_MODE_TEXT"
+				@change="selectMode(EDITOR_MODE_TEXT)">
+			<label :class="{ primary: account.editorMode === EDITOR_MODE_TEXT }" for="plaintext">
 				{{ t('mail', 'Plain text') }}
 			</label>
 			<input
 				id="richtext"
-				v-model="mode"
+				ref="richtext"
+				:name="radioGroupName"
 				type="radio"
 				class="radio"
-				value="richtext">
-			<label :class="{ primary: mode === 'richtext' }" for="richtext">
+				:checked="account.editorMode === EDITOR_MODE_HTML"
+				@change="selectMode(EDITOR_MODE_HTML)">
+			<label :class="{ primary: account.editorMode === EDITOR_MODE_HTML }" for="richtext">
 				{{ t('mail', 'Rich text') }}
 			</label>
 		</p>
@@ -31,6 +35,7 @@
 <script>
 import { mapStores } from 'pinia'
 import Logger from '../logger.js'
+import { EDITOR_MODE_HTML, EDITOR_MODE_TEXT } from '../store/constants.js'
 import useMainStore from '../store/mainStore.js'
 
 export default {
@@ -42,22 +47,56 @@ export default {
 		},
 	},
 
-	data() {
-		return {
-			mode: this.account.editorMode,
-		}
-	},
-
 	computed: {
 		...mapStores(useMainStore),
+
+		// Expose the constants to the template and group the radios per account.
+		EDITOR_MODE_TEXT: () => EDITOR_MODE_TEXT,
+		EDITOR_MODE_HTML: () => EDITOR_MODE_HTML,
+		radioGroupName() {
+			return `editor-mode-${this.account.id}`
+		},
 	},
 
-	watch: {
-		mode(val, oldVal) {
+	methods: {
+		selectMode(mode) {
+			if (mode === this.account.editorMode) {
+				return
+			}
+
+			// Switching from rich text to plain text strips all formatting and
+			// inline images — including those in the signature — so confirm first.
+			if (this.account.editorMode === EDITOR_MODE_HTML && mode === EDITOR_MODE_TEXT) {
+				// The native radio already moved the DOM selection; snap it back to
+				// the stored value at once so the writing mode only visibly changes
+				// once the user confirms.
+				this.syncRadios()
+				OC.dialogs.confirmDestructive(
+					t('mail', 'Switching to plain text removes any existing formatting such as bold, italic, underline, inline images and links — including those in your signature.'),
+					t('mail', 'Switch to plain text'),
+					{
+						type: OC.dialogs.YES_NO_BUTTONS,
+						confirm: t('mail', 'Switch and remove formatting'),
+						confirmClasses: 'error',
+						cancel: t('mail', 'Keep rich text'),
+					},
+					(decision) => {
+						if (decision) {
+							this.persistMode(mode)
+						}
+					},
+				)
+				return
+			}
+
+			this.persistMode(mode)
+		},
+
+		persistMode(mode) {
 			this.mainStore.patchAccount({
 				account: this.account,
 				data: {
-					editorMode: val,
+					editorMode: mode,
 				},
 			})
 				.then(() => {
@@ -65,10 +104,25 @@ export default {
 				})
 				.catch((error) => {
 					Logger.error('could not update editor mode', { error })
-					this.editorMode = oldVal
+					this.syncRadios()
 					throw error
 				})
 		},
+
+		/**
+		 * Re-asserts the radio DOM selection from the stored writing mode. Vue keeps
+		 * `:checked` bound to the store, but a native toggle we do not persist
+		 * (cancelled or failed) leaves the DOM out of sync because the bound value
+		 * never changed and Vue therefore skips patching it.
+		 */
+		syncRadios() {
+			if (this.$refs.plaintext) {
+				this.$refs.plaintext.checked = this.account.editorMode === EDITOR_MODE_TEXT
+			}
+			if (this.$refs.richtext) {
+				this.$refs.richtext.checked = this.account.editorMode === EDITOR_MODE_HTML
+			}
+		},
 	},
 }
 </script>
diff --git a/src/components/SignatureSettings.vue b/src/components/SignatureSettings.vue
index e5bdc18d27..526ddd35a4 100644
--- a/src/components/SignatureSettings.vue
+++ b/src/components/SignatureSettings.vue
@@ -28,8 +28,9 @@
 		<!-- Added wrapper to give the signature editor a clear input-style border -->
 		<div class="signature-editor-wrapper">
 			<TextEditor
+				:key="account.editorMode"
 				v-model="signature"
-				:html="true"
+				:html="editorIsHtml"
 				:placeholder="t('mail', 'Signature …')"
 				:bus="bus"
 				class="signature-editor-wrapper__editor" />
@@ -66,8 +67,9 @@ import { mapStores } from 'pinia'
 import IconCheck from 'vue-material-design-icons/Check.vue'
 import TextEditor from './TextEditor.vue'
 import logger from '../logger.js'
+import { EDITOR_MODE_HTML } from '../store/constants.js'
 import useMainStore from '../store/mainStore.js'
-import { detect, toHtml } from '../util/text.js'
+import { detect, toHtml, toPlain } from '../util/text.js'
 
 export default {
 	name: 'SignatureSettings',
@@ -98,6 +100,10 @@ export default {
 
 	computed: {
 		...mapStores(useMainStore),
+		editorIsHtml() {
+			return this.account.editorMode === EDITOR_MODE_HTML
+		},
+
 		identities() {
 			const identities = this.account.aliases.map((alias) => {
 				return {
@@ -122,6 +128,15 @@ export default {
 	},
 
 	watch: {
+		// The signature editor follows the account's writing mode. When that mode
+		// changes (e.g. via the writing-mode setting), re-encode the in-editor
+		// signature so plain text never shows raw HTML and vice versa. Switching to
+		// plain text is lossy (images/links are dropped); the writing-mode setting
+		// warns the user before the change reaches here.
+		editorIsHtml() {
+			this.signature = this.formatSignature(this.signature)
+		},
+
 		async signatureAboveQuote(val, oldVal) {
 			try {
 				await this.mainStore.patchAccount({
@@ -146,9 +161,22 @@ export default {
 		changeIdentity(identity) {
 			logger.debug('select identity', { identity })
 			this.identity = identity
-			this.signature = identity.signature
-				? toHtml(detect(identity.signature)).value
-				: ''
+			this.signature = this.formatSignature(identity.signature)
+		},
+
+		/**
+		 * Encodes a stored signature into the format the editor currently expects
+		 * (HTML in rich-text mode, plain text otherwise).
+		 *
+		 * @param {string|null} signature the stored signature
+		 * @return {string} the signature in the active editor format
+		 */
+		formatSignature(signature) {
+			if (!signature) {
+				return ''
+			}
+			const detected = detect(signature)
+			return this.editorIsHtml ? toHtml(detected).value : toPlain(detected).value
 		},
 
 		async deleteSignature() {
diff --git a/src/views/Home.vue b/src/views/Home.vue
index 89ff8c6d68..7fc60e9716 100644
--- a/src/views/Home.vue
+++ b/src/views/Home.vue
@@ -58,9 +58,11 @@ export default {
 	data() {
 		return {
 			hasComposerSession: false,
-			// The currently open account-settings dialog. The account is kept
-			// after closing so the dialog stays mounted for its out-transition.
-			settingsAccount: null,
+			// Id of the account whose settings dialog is open. The id is kept after
+			// closing so the dialog stays mounted for its out-transition. The account
+			// object itself is resolved reactively (see settingsAccount) so settings
+			// sub-components observe store updates live instead of a stale snapshot.
+			settingsAccountId: null,
 			settingsOpen: false,
 			settingsSection: undefined,
 		}
@@ -80,6 +82,12 @@ export default {
 		activeMailbox() {
 			return this.mainStore.getMailbox(this.$route.params.mailboxId)
 		},
+
+		settingsAccount() {
+			return this.settingsAccountId !== null
+				? this.mainStore.getAccount(this.settingsAccountId)
+				: null
+		},
 	},
 
 	watch: {
@@ -105,7 +113,7 @@ export default {
 			immediate: true,
 			handler(settings) {
 				if (settings?.accountId) {
-					this.settingsAccount = this.mainStore.getAccount(settings.accountId)
+					this.settingsAccountId = settings.accountId
 					this.settingsSection = settings.section
 					// Mount first (settingsAccount), then open on the next tick so the
 					// dialog's `open` watcher fires and runs its on-open side effects.

From 01882c4e3109fb08790f93067418f4088b4ea08d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 21:26:34 +0200
Subject: [PATCH 10/11] fix(message): render stacked images and external SVGs
 correctly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- allow HTML5 <figure>/<figcaption> in the mail HTML purifier so
  CKEditor image figures keep stacking instead of collapsing into
  inline, side-by-side images
- serve proxied external SVG images as sanitised image/svg+xml so
  browsers render them instead of leaving them blank

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Controller/ProxyController.php            | 30 +++++++++
 lib/Service/Html.php                          |  9 +++
 tests/Unit/Controller/ProxyControllerTest.php | 64 +++++++++++++++++++
 3 files changed, 103 insertions(+)

diff --git a/lib/Controller/ProxyController.php b/lib/Controller/ProxyController.php
index 3b44a15254..812037b4f2 100644
--- a/lib/Controller/ProxyController.php
+++ b/lib/Controller/ProxyController.php
@@ -13,6 +13,7 @@
 use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Http\ProxyDownloadResponse;
 use OCA\Mail\Service\MailManager;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
@@ -28,6 +29,9 @@
 use Psr\Log\LoggerInterface;
 use function file_get_contents;
 use function hash_equals;
+use function ltrim;
+use function stripos;
+use function str_starts_with;
 
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 class ProxyController extends Controller {
@@ -37,6 +41,7 @@ class ProxyController extends Controller {
 	private LoggerInterface $logger;
 	private ProxyHmacGenerator $hmacGenerator;
 	private MailManager $mailManager;
+	private SvgSanitizer $svgSanitizer;
 	private ?string $userId;
 
 	public function __construct(string $appName,
@@ -47,6 +52,7 @@ public function __construct(string $appName,
 		ProxyHmacGenerator $hmacGenerator,
 		LoggerInterface $logger,
 		MailManager $mailManager,
+		SvgSanitizer $svgSanitizer,
 		?string $userId) {
 		parent::__construct($appName, $request);
 		$this->request = $request;
@@ -56,6 +62,7 @@ public function __construct(string $appName,
 		$this->logger = $logger;
 		$this->hmacGenerator = $hmacGenerator;
 		$this->mailManager = $mailManager;
+		$this->svgSanitizer = $svgSanitizer;
 		$this->userId = $userId;
 	}
 
@@ -112,6 +119,29 @@ public function proxy(string $src, ?int $id, ?string $hmac): Response {
 			$content = file_get_contents(__DIR__ . '/../../img/blocked-image.png');
 		}
 
+		$content = (string)$content;
+
+		// Browsers sniff raster image formats in <img> tags, but they refuse to
+		// render SVG unless it is served with the image/svg+xml content type.
+		// Detect and sanitise SVG markup so external SVG logos are displayed
+		// instead of staying blank. Sanitising also strips any active content in
+		// case the response is fetched through a direct (non-<img>) navigation.
+		if ($this->looksLikeSvg($content)) {
+			$content = $this->svgSanitizer->sanitize($content);
+			return new ProxyDownloadResponse($content, $src, 'image/svg+xml');
+		}
+
 		return new ProxyDownloadResponse($content, $src, 'application/octet-stream');
 	}
+
+	/**
+	 * Heuristically decide whether the given bytes are an SVG document.
+	 */
+	private function looksLikeSvg(string $content): bool {
+		$start = ltrim($content);
+		$hasSvgPrologue = str_starts_with($start, '<?xml')
+			|| str_starts_with($start, '<!--')
+			|| stripos($start, '<svg') === 0;
+		return $hasSvgPrologue && stripos($content, '<svg') !== false;
+	}
 }
diff --git a/lib/Service/Html.php b/lib/Service/Html.php
index d56e8f1448..5e37eea584 100755
--- a/lib/Service/Html.php
+++ b/lib/Service/Html.php
@@ -154,6 +154,15 @@ public function sanitizeHtmlMailBody(int $messageId, string $mailBody, array $in
 		// Rewrite URL for redirection and proxying of content
 		/** @var HTMLPurifier_HTMLDefinition $def */
 		$def = $config->getHTMLDefinition(true);
+
+		// HTMLPurifier defaults to an HTML 4.01 schema which does not know the
+		// HTML5 <figure>/<figcaption> elements. Without registering them the
+		// figure wrappers are stripped and the contained images collapse from
+		// stacked blocks into inline siblings (rendered side by side). Editors
+		// such as CKEditor wrap images in figures, so keep them as block elements.
+		$def->addElement('figure', 'Block', 'Flow', 'Common');
+		$def->addElement('figcaption', 'Block', 'Flow', 'Common');
+
 		$def->info_attr_transform_post['imagesrc'] = new TransformImageSrc($this->urlGenerator);
 		$def->info_attr_transform_post['cssbackground'] = new TransformStyleURLs($this->urlGenerator);
 		$def->info_attr_transform_post['htmllinks'] = new TransformHTMLLinks();
diff --git a/tests/Unit/Controller/ProxyControllerTest.php b/tests/Unit/Controller/ProxyControllerTest.php
index ee6ed5cf0a..0c956fb6b7 100644
--- a/tests/Unit/Controller/ProxyControllerTest.php
+++ b/tests/Unit/Controller/ProxyControllerTest.php
@@ -15,6 +15,7 @@
 use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Http\ProxyDownloadResponse;
 use OCA\Mail\Service\MailManager;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Response;
@@ -53,6 +54,9 @@ class ProxyControllerTest extends TestCase {
 	/** @var MailManager|MockObject */
 	private $mailManager;
 
+	/** @var SvgSanitizer|MockObject */
+	private $svgSanitizer;
+
 	private string $userId = 'user';
 
 	/** @var ProxyController */
@@ -68,6 +72,7 @@ protected function setUp(): void {
 		$this->clientService = $this->createMock(IClientService::class);
 		$this->hmacGenerator = $this->createMock(ProxyHmacGenerator::class);
 		$this->mailManager = $this->createMock(MailManager::class);
+		$this->svgSanitizer = $this->createMock(SvgSanitizer::class);
 		$this->logger = new NullLogger();
 	}
 
@@ -90,6 +95,7 @@ public function testProxyWithoutCookies(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -136,12 +142,67 @@ public function testProxy(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
+			$this->userId,
+		);
+
+		$response = $this->controller->proxy($src, $id, $validHmac);
+
+		$this->assertInstanceOf(ProxyDownloadResponse::class, $response);
+	}
+
+	public function testProxySanitizesAndServesSvg(): void {
+		$src = 'https://example.com/logo.svg';
+		$id = 1;
+		$validHmac = 'valid-hmac-hash';
+		$content = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>';
+		$sanitized = '<svg xmlns="http://www.w3.org/2000/svg"></svg>';
+		$httpResponse = $this->createMock(IResponse::class);
+		$this->request->expects(self::once())
+			->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$this->session->expects($this->once())
+			->method('close');
+		$this->hmacGenerator->expects($this->once())
+			->method('generate')
+			->with($id, $src)
+			->willReturn($validHmac);
+		$this->mailManager->expects($this->once())
+			->method('getMessage')
+			->with($this->userId, $id);
+		$client = $this->getMockBuilder(IClient::class)->getMock();
+		$this->clientService->expects($this->once())
+			->method('newClient')
+			->willReturn($client);
+		$client->expects($this->once())
+			->method('get')
+			->with($src)
+			->willReturn($httpResponse);
+		$httpResponse->expects($this->once())
+			->method('getBody')
+			->willReturn($content);
+		$this->svgSanitizer->expects($this->once())
+			->method('sanitize')
+			->with($content)
+			->willReturn($sanitized);
+		$this->controller = new ProxyController(
+			$this->appName,
+			$this->request,
+			$this->urlGenerator,
+			$this->session,
+			$this->clientService,
+			$this->hmacGenerator,
+			$this->logger,
+			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
 		$response = $this->controller->proxy($src, $id, $validHmac);
 
 		$this->assertInstanceOf(ProxyDownloadResponse::class, $response);
+		$this->assertSame('image/svg+xml', $response->getHeaders()['Content-Type']);
+		$this->assertSame($sanitized, $response->render());
 	}
 
 	public function testProxyWithInvalidHmac(): void {
@@ -172,6 +233,7 @@ public function testProxyWithInvalidHmac(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -199,6 +261,7 @@ public function testProxyWithMissingHmacParameters(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -231,6 +294,7 @@ public function testProxyWithMessageNotOwnedByUser(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 

From 59f3bff8031a19472b16745fcaa293f7fc4a3ba0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=ABl=20de=20Jager?= <contact@joeldejager.nl>
Date: Sun, 21 Jun 2026 21:48:25 +0200
Subject: [PATCH 11/11] fix(composer): make image alignment explicit and
 portable when sending
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Block-image alignment was encoded only as CKEditor CSS classes, which
recipients do not load. The unstyled (default) figure was left without
any inline alignment, so each client rendered it differently — Gmail and
Thunderbird centred it while Nextcloud Mail left-aligned it.

Inline auto-margins (matching CKEditor's positioning) plus text-align on
every image figure, including the default, so images align consistently
across all mail clients. Physical margins are used for Outlook
compatibility.

Signed-off-by: Joël de Jager <contact@joeldejager.nl>
---
 lib/Service/MimeMessage.php            | 42 ++++++++++++++++----------
 tests/Unit/Service/MimeMessageTest.php | 39 ++++++++++++++++++++++--
 2 files changed, 63 insertions(+), 18 deletions(-)

diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index 7bcd680890..abffd2e593 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -253,18 +253,27 @@ private function normalizeImageDimensions(DOMDocument $doc): void {
 	}
 
 	/**
-	 * Translates the editor's image-alignment classes into an inline text-align
-	 * style on the wrapping <figure>. Those classes rely on the editor's own
-	 * stylesheet, which recipients do not load; aligning the (inline) image via
-	 * text-align on its block wrapper is honoured by virtually every mail client.
-	 * The unstyled, left-aligned default needs no rewriting.
+	 * Translates the editor's image-alignment classes into inline styles on the
+	 * wrapping <figure>. The editor expresses alignment through CSS classes
+	 * backed by its own stylesheet, which recipients do not load. Without
+	 * inlining, every client falls back to its own default rendering of a bare
+	 * <figure> (some left-align it, others centre it), so even the unstyled
+	 * default must be made explicit to render consistently everywhere.
+	 *
+	 * A block image is positioned by the auto margins of its (width-constrained)
+	 * <figure> box, exactly like the editor does it; text-align additionally
+	 * aligns the image inside a figure that spans the full width. Physical
+	 * margins are used because the Word engine behind Outlook ignores the
+	 * logical margin-inline shorthand.
 	 */
 	private function normalizeImageAlignment(DOMDocument $doc): void {
 		$alignments = [
-			'image-style-block-align-left' => 'left',
-			'image-style-align-center' => 'center',
-			'image-style-block-align-right' => 'right',
+			'image-style-align-center' => 'margin-left: auto; margin-right: auto; text-align: center;',
+			'image-style-block-align-right' => 'margin-left: auto; margin-right: 0; text-align: right;',
+			'image-style-block-align-left' => 'margin-left: 0; margin-right: auto; text-align: left;',
 		];
+		// The unstyled state is the editor's left-aligned default.
+		$default = 'margin-left: 0; margin-right: auto; text-align: left;';
 
 		foreach ($doc->getElementsByTagName('figure') as $figure) {
 			if (!($figure instanceof DOMElement)) {
@@ -272,19 +281,20 @@ private function normalizeImageAlignment(DOMDocument $doc): void {
 			}
 
 			$classes = $figure->getAttribute('class');
-			if ($classes === '') {
+			if (!str_contains($classes, 'image')) {
 				continue;
 			}
 
-			foreach ($alignments as $class => $align) {
-				if (!str_contains($classes, $class)) {
-					continue;
+			$alignment = $default;
+			foreach ($alignments as $class => $style) {
+				if (str_contains($classes, $class)) {
+					$alignment = $style;
+					break;
 				}
-
-				$style = rtrim(trim($figure->getAttribute('style')), ';');
-				$figure->setAttribute('style', ($style === '' ? '' : $style . '; ') . 'text-align: ' . $align);
-				break;
 			}
+
+			$style = rtrim(trim($figure->getAttribute('style')), ';');
+			$figure->setAttribute('style', ($style === '' ? '' : $style . '; ') . $alignment);
 		}
 	}
 
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index e00c41909b..48603dbf2e 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -496,11 +496,46 @@ public function testNormalizeImageAlignment(): void {
 		/** @var Horde_Mime_Part[] $subParts */
 		$subParts = $part->getParts();
 		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: auto; margin-right: auto', $htmlBody);
 		$this->assertStringContainsString('text-align: center', $htmlBody);
 	}
 
-	public function testNormalizeImageAlignmentLeavesDefaultUntouched(): void {
-		$html = '<figure class="image"><img src="https://example.com/logo.png"></figure>';
+	public function testNormalizeImageAlignmentRight(): void {
+		$html = '<figure class="image image-style-block-align-right"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: auto; margin-right: 0', $htmlBody);
+		$this->assertStringContainsString('text-align: right', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentMakesDefaultExplicit(): void {
+		$html = '<figure class="image image_resized" style="width:300px;"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: 0; margin-right: auto', $htmlBody);
+		$this->assertStringContainsString('text-align: left', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentIgnoresNonImageFigures(): void {
+		$html = '<figure class="media"><img src="https://example.com/logo.png"></figure>';
 
 		$part = $this->mimeMessage->build(
 			null,