HTML Injection issue via msgId

[seisvelas]

This is issue "FLO-02-004 Extension: HTML Injection in error message on certain pages" from the Cure53 report. From the report itself:

A HTML injection was found on pgp_block.htm via the error message. This is becausethe returned message from the API call is rendered as HTML. However, this issue doesnot introduce XSS because the rendered content is sanitized and only allowed safe tags.Besides, CSP of WebExtension will block this attack nevertheless. At the same time, thiscould still be used for Phishing.PoC (Replace the logged-in email address in the highlighted area):chrome-extension://emghkmengffbgcnpcajidfdkffaikghk/chrome/elements/pgp_block.htm?frameId=&hasPassword=cu_false&msgId=%3Cs%3E&senderEmail=&isOutgoing=cu_true&acctEmail=EMAIL_ADDRESS&parentTabId=

Currently we are sanitizing this, which prevents it from being a much more serious issue. Nevertheless, this should be fixed by escaping the output so user input is not rendered as HTML in the error message.

[tomholub]

The issue is not limited just to msgid - the larger issue is that the stringified exception text should be Xss sanitised when passing it to the rendering functuion

[seisvelas]

Okay, so one might expect the relevant sanitization to be here:

flowcrypt-browser/extension/js/common/view.ts

Lines 27 to 34 in e7e0feb

	Xss.sanitizeRender('body', `
	<br>
	<div data-test="container-err-title" style="width: 900px;display:inline-block;">${ApiErr.eli5(e)}</div>
	<br><br>
	<div data-test="container-err-text" style="width: 900px;display:inline-block;">${String(e)}</div>
	<br><br>
	${Ui.retryLink()}
	`);

That code does render other errors. For example, in the case of the API traversal error, we see that the rendered divs are the ones created by the above:

<div style="width: 900px;display:inline-block;" data-test="container-err-title">FlowCrypt encountered an error with unknown cause.</div>
<br><br>
<br><div style="width: 900px;display:inline-block;" data-test="container-err-text">Error: API path traversal forbidden</div>

However, the error that is leading to renderable HTML does not originate there. We can tell by looking at the div tag that is generated:

<div class="error">Error: Bad Request: 400 when GET-ing https://www.googleapis.com/gmail/v1/users/me/messages/<s> object: format -&gt; Invalid id value</s></div>

This div has very different properties. It originates here:

flowcrypt-browser/extension/chrome/elements/pgp_block_modules/pgp-block-error-module.ts

Line 24 in def2eba

await this.view.renderModule.renderContent(`<div class="error">${errBoxContent.replace(/\n/g, '<br>')}</div>${showRawMsgPrompt}`, true);

If so, I should be able to prevent tags from rendering by simply escaping errBoxContent. Simply adding another call to .replace() ought to suffice. I'll submit a PR momentarily.