New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML Injection issue via msgId #2770
Comments
The issue is not limited just to msgid - the larger issue is that the stringified exception text should be Xss sanitised when passing it to the rendering functuion |
Okay, so one might expect the relevant sanitization to be here: flowcrypt-browser/extension/js/common/view.ts Lines 27 to 34 in e7e0feb
That code does render other errors. For example, in the case of the API traversal error, we see that the rendered divs are the ones created by the above: <div style="width: 900px;display:inline-block;" data-test="container-err-title">FlowCrypt encountered an error with unknown cause.</div>
<br><br>
<br><div style="width: 900px;display:inline-block;" data-test="container-err-text">Error: API path traversal forbidden</div> However, the error that is leading to renderable HTML does not originate there. We can tell by looking at the div tag that is generated: <div class="error">Error: Bad Request: 400 when GET-ing https://www.googleapis.com/gmail/v1/users/me/messages/<s> object: format -> Invalid id value</s></div> This div has very different properties. It originates here: flowcrypt-browser/extension/chrome/elements/pgp_block_modules/pgp-block-error-module.ts Line 24 in def2eba
If so, I should be able to prevent tags from rendering by simply escaping |
This is issue "FLO-02-004 Extension: HTML Injection in error message on certain pages" from the Cure53 report. From the report itself:
Currently we are sanitizing this, which prevents it from being a much more serious issue. Nevertheless, this should be fixed by escaping the output so user input is not rendered as HTML in the error message.
The text was updated successfully, but these errors were encountered: