[Fix] Skip HTML_DISPLAYED URLs in CTA detection

HTML_DISPLAYED URLs are phishing bait text (display-only) and should
not be considered for CTA (call-to-action) detection. Only real link
targets should be analyzed for CTA purposes.

diff --git a/src/libserver/html/html_cta.cxx b/src/libserver/html/html_cta.cxx
index 8646b8b50aec45fd908f83b57d51f8fbee8de04f..2e2579828a6cb6a511f52b9593255ab064e417eb 100644 (file)
--- a/src/libserver/html/html_cta.cxx
+++ b/src/libserver/html/html_cta.cxx
@@ -529,6 +529,7 @@ void rspamd_html_process_cta_urls(struct rspamd_mime_text_part *text_part,
                if (!(u->protocol == PROTOCOL_HTTP || u->protocol == PROTOCOL_HTTPS)) continue;
                if (u->flags & RSPAMD_URL_FLAG_INVISIBLE) continue;
                if (u->flags & RSPAMD_URL_FLAG_IMAGE) continue;
+               if (u->flags & RSPAMD_URL_FLAG_HTML_DISPLAYED) continue; /* Skip display-only URLs (phishing bait text) */
 
                /* Use button_weight to filter CTA URLs vs technical URLs
          * Technical tags like <link rel>, <script src> have weight=0