From 8d977006328888bf7b6bb98afb686d51438bc102 Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 29 May 2026 16:13:03 +0800 Subject: [PATCH 01/10] fix: improve css validation --- extension/js/common/platform/xss.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 9e5c5c0536c..9ad27b577f5 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -49,7 +49,7 @@ export class Xss { private static ADD_ATTR = ['email', 'page', 'addurltext', 'longid', 'index', 'target', 'fingerprint', 'cryptup-data']; private static FORBID_ATTR = ['background']; private static HREF_REGEX_CACHE: RegExp | undefined; - private static FORBID_CSS_STYLE = /z-index:[^;]+;|position:[^;]+;|background[^;]+;/g; + private static FORBID_CSS_STYLE = /z-index:[^;]+(?=;|$)|position:[^;]+(?=;|$)|background[^;]+(?=;|$)/gi; private static EMOJI_REGEX = /(?![*#0-9]+)[\p{Emoji}\p{Emoji_Modifier}\p{Emoji_Component}\p{Emoji_Modifier_Base}\p{Emoji_Presentation}]/gu; public static sanitizeRender = (selector: string | HTMLElement | JQuery, dirtyHtml: string) => { @@ -118,6 +118,7 @@ export class Xss { const style = node.getAttribute('style')?.toLowerCase(); if (style && (style.includes('url(') || style.includes('@import'))) { node.removeAttribute('style'); // don't want any leaks through css url() + return; // stop processing: do not re-add any part of this style attribute } // strip css styles that could use to overlap with the extension UI if (style && Xss.FORBID_CSS_STYLE.test(style)) { From a644697e55ed65832fc36224fc5e08ac0c556ae5 Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 1 Jun 2026 17:48:49 +0800 Subject: [PATCH 02/10] feat: strip usage of url() in css --- extension/js/common/platform/xss.ts | 43 ++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 9ad27b577f5..87415cba932 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -49,7 +49,8 @@ export class Xss { private static ADD_ATTR = ['email', 'page', 'addurltext', 'longid', 'index', 'target', 'fingerprint', 'cryptup-data']; private static FORBID_ATTR = ['background']; private static HREF_REGEX_CACHE: RegExp | undefined; - private static FORBID_CSS_STYLE = /z-index:[^;]+(?=;|$)|position:[^;]+(?=;|$)|background[^;]+(?=;|$)/gi; + private static FORBID_CSS_STYLE = + /z-index:[^;]+(?=;|$)|position:[^;]+(?=;|$)|background[^;]+(?=;|$)|display:\s*none|visibility:\s*hidden|opacity:\s*0(?:\.\d+)?|transform:[^;]+|clip(?:-path)?:[^;]+|margin(?:-top|-right|-bottom|-left)?:[^;]+|padding(?:-top|-right|-bottom|-left)?:[^;]+|border(?:-top|-right|-bottom|-left|-width|-style|-color)?:[^;]+|top:[^;]+|left:[^;]+|right:[^;]+|bottom:[^;]+|filter:[^;]+|pointer-events:\s*none|font-size:\s*0(?:px|em|rem)?|line-height:\s*0(?:px|em|rem)?|width:\s*0(?:px)?|height:\s*0(?:px)?|text-indent:\s*-\d/gi; private static EMOJI_REGEX = /(?![*#0-9]+)[\p{Emoji}\p{Emoji_Modifier}\p{Emoji_Component}\p{Emoji_Modifier_Base}\p{Emoji_Presentation}]/gu; public static sanitizeRender = (selector: string | HTMLElement | JQuery, dirtyHtml: string) => { @@ -115,15 +116,16 @@ export class Xss { // Handle style attributes if (node.hasAttribute('style')) { // mitigation rather than a fix, which will involve updating CSP, see https://github.com/FlowCrypt/flowcrypt-browser/issues/2648 - const style = node.getAttribute('style')?.toLowerCase(); - if (style && (style.includes('url(') || style.includes('@import'))) { - node.removeAttribute('style'); // don't want any leaks through css url() - return; // stop processing: do not re-add any part of this style attribute - } - // strip css styles that could use to overlap with the extension UI + let style = node.getAttribute('style') || ''; + style = Xss.sanitizeCssStyle(style); if (style && Xss.FORBID_CSS_STYLE.test(style)) { const updatedStyle = style.replace(Xss.FORBID_CSS_STYLE, ''); node.setAttribute('style', updatedStyle); + } else if (style) { + // if style was modified but still present, update it + node.setAttribute('style', style); + } else { + node.removeAttribute('style'); } } @@ -275,6 +277,33 @@ export class Xss { } }; + /** + * Remove @import rules and any url(...) that would cause an out‑of‑band request. + * Only data: and cid: URLs are allowed. + */ + private static sanitizeCssStyle = (css: string): string => { + let cleaned = css.replace(/@import\s+[^;]*;?/gi, ''); + const urlRegex = /url\(\s*(["']?)(.*?)\1\s*\)/gi; + let match; + // eslint-disable-next-line no-null/no-null + while ((match = urlRegex.exec(cleaned)) !== null) { + const fullMatch = match[0]; + const url = match[2]; + // Only allow data: and cid: schemes + const isSafe = /^(data:|cid:)/i.test(url); + if (!isSafe) { + // Remove the unsafe url(...) token completely + cleaned = cleaned.replace(fullMatch, ''); + } + } + // Clean up leftover artifacts: empty declarations, double semicolons + cleaned = cleaned + .replace(/;\s*;/g, ';') + .replace(/^\s*;\s*/, '') + .trim(); + return cleaned; + }; + /** * allow href links that have same origin as our extension + cid + inline image */ From 7bfe08701fa30f7bd0db197cc005189160d5eacd Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 2 Jun 2026 16:34:16 +0800 Subject: [PATCH 03/10] fix: strict css style --- extension/js/common/platform/xss.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 87415cba932..930269a6fff 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -50,7 +50,7 @@ export class Xss { private static FORBID_ATTR = ['background']; private static HREF_REGEX_CACHE: RegExp | undefined; private static FORBID_CSS_STYLE = - /z-index:[^;]+(?=;|$)|position:[^;]+(?=;|$)|background[^;]+(?=;|$)|display:\s*none|visibility:\s*hidden|opacity:\s*0(?:\.\d+)?|transform:[^;]+|clip(?:-path)?:[^;]+|margin(?:-top|-right|-bottom|-left)?:[^;]+|padding(?:-top|-right|-bottom|-left)?:[^;]+|border(?:-top|-right|-bottom|-left|-width|-style|-color)?:[^;]+|top:[^;]+|left:[^;]+|right:[^;]+|bottom:[^;]+|filter:[^;]+|pointer-events:\s*none|font-size:\s*0(?:px|em|rem)?|line-height:\s*0(?:px|em|rem)?|width:\s*0(?:px)?|height:\s*0(?:px)?|text-indent:\s*-\d/gi; + /(?:^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:/i; private static EMOJI_REGEX = /(?![*#0-9]+)[\p{Emoji}\p{Emoji_Modifier}\p{Emoji_Component}\p{Emoji_Modifier_Base}\p{Emoji_Presentation}]/gu; public static sanitizeRender = (selector: string | HTMLElement | JQuery, dirtyHtml: string) => { From 4caef100c9d27bc0454cd1974dadda7a68648341 Mon Sep 17 00:00:00 2001 From: martgil Date: Wed, 3 Jun 2026 18:36:44 +0800 Subject: [PATCH 04/10] fix: add global flag on forbidden css regex --- extension/js/common/platform/xss.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 930269a6fff..c33dfde5e8c 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -50,7 +50,7 @@ export class Xss { private static FORBID_ATTR = ['background']; private static HREF_REGEX_CACHE: RegExp | undefined; private static FORBID_CSS_STYLE = - /(?:^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:/i; + /(?:^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:[^;]*;?/gi; private static EMOJI_REGEX = /(?![*#0-9]+)[\p{Emoji}\p{Emoji_Modifier}\p{Emoji_Component}\p{Emoji_Modifier_Base}\p{Emoji_Presentation}]/gu; public static sanitizeRender = (selector: string | HTMLElement | JQuery, dirtyHtml: string) => { From 4b3758ea0b36e990b6f9d95c73c73b971dba7ca3 Mon Sep 17 00:00:00 2001 From: martgil Date: Thu, 4 Jun 2026 18:55:27 +0800 Subject: [PATCH 05/10] wip: cleanup --- extension/js/common/platform/xss.ts | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index c33dfde5e8c..213e58e2273 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -283,19 +283,11 @@ export class Xss { */ private static sanitizeCssStyle = (css: string): string => { let cleaned = css.replace(/@import\s+[^;]*;?/gi, ''); - const urlRegex = /url\(\s*(["']?)(.*?)\1\s*\)/gi; - let match; - // eslint-disable-next-line no-null/no-null - while ((match = urlRegex.exec(cleaned)) !== null) { - const fullMatch = match[0]; - const url = match[2]; + cleaned = cleaned.replace(/url\(\s*(["']?)(.*?)\1\s*\)/gi, (fullMatch: string, _, url: string) => { // Only allow data: and cid: schemes const isSafe = /^(data:|cid:)/i.test(url); - if (!isSafe) { - // Remove the unsafe url(...) token completely - cleaned = cleaned.replace(fullMatch, ''); - } - } + return isSafe ? fullMatch : ''; + }); // Clean up leftover artifacts: empty declarations, double semicolons cleaned = cleaned .replace(/;\s*;/g, ';') From d554ccb6519f43307ada179984364b10f17e4833 Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 5 Jun 2026 19:32:24 +0800 Subject: [PATCH 06/10] fix: style sanitation --- extension/js/common/platform/xss.ts | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 213e58e2273..7a901aa78f6 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -282,18 +282,19 @@ export class Xss { * Only data: and cid: URLs are allowed. */ private static sanitizeCssStyle = (css: string): string => { - let cleaned = css.replace(/@import\s+[^;]*;?/gi, ''); - cleaned = cleaned.replace(/url\(\s*(["']?)(.*?)\1\s*\)/gi, (fullMatch: string, _, url: string) => { - // Only allow data: and cid: schemes - const isSafe = /^(data:|cid:)/i.test(url); - return isSafe ? fullMatch : ''; - }); - // Clean up leftover artifacts: empty declarations, double semicolons - cleaned = cleaned - .replace(/;\s*;/g, ';') - .replace(/^\s*;\s*/, '') - .trim(); - return cleaned; + return css + .split(';') + .map(part => part.trim()) + .filter(part => { + return !/^(z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:/i.test( + part + ); + }) + .filter(part => { + // remove url + import safely + return !/@import|url\(/i.test(part); + }) + .join('; '); }; /** From b2573ced63f840b12ca3128f985074f16a7ba68d Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 5 Jun 2026 19:38:46 +0800 Subject: [PATCH 07/10] test: add test --- .../message-export-19e9782fbc7127c4.json | 90 +++++++++++++++++++ test/source/tests/decrypt.ts | 22 +++++ 2 files changed, 112 insertions(+) create mode 100644 test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json diff --git a/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json b/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json new file mode 100644 index 00000000000..c8017132a2b --- /dev/null +++ b/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json @@ -0,0 +1,90 @@ +{ + "acctEmail": "flowcrypt.compatibility@gmail.com", + "full": { + "id": "19e9782fbc7127c4", + "threadId": "19e9782fbc7127c4", + "labelIds": [ + "Label_15", + "SENT", + "INBOX" + ], + "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAApvcvGPQGVrKP2q3Dr25A2TWVizkRhnyPbkHXHIeZ o3hnQH+", + "payload": { + "partId": "", + "mimeType": "multipart/mixed", + "filename": "", + "headers": [ + { + "name": "Content-Type", + "value": "multipart/mixed; boundary=\"----sinikael-?=_1-17806584032390.01454785934024927\"" + }, + { + "name": "Openpgp", + "value": "id=E8F0517BA6D7DAB6081C96E4ADAC279C95093207" + }, + { + "name": "From", + "value": "sender@domain.com" + }, + { + "name": "To", + "value": "flowcrypt.compatibility@gmail.com" + }, + { + "name": "Subject", + "value": "flowcrypt-browser #6234" + }, + { + "name": "Date", + "value": "Fri, 5 Jun 2026 04:20:04 -0700" + }, + { + "name": "MIME-Version", + "value": "1.0" + } + ], + "body": { + "size": 0 + }, + "parts": [ + { + "partId": "0", + "mimeType": "text/plain", + "filename": "", + "headers": [ + { + "name": "Content-Type", + "value": "text/plain" + }, + { + "name": "Content-Transfer-Encoding", + "value": "quoted-printable" + } + ], + "body": { + "size": 4553, + "data": "LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBGbG93Q3J5cHQgRW1haWwgRW5jcnlwdGlvbiA4LjUuMTMNCkNvbW1lbnQ6IFNlYW1sZXNzbHkgc2VuZCBhbmQgcmVjZWl2ZSBlbmNyeXB0ZWQgZW1haWwNCg0Kd2NGTUEwdGFML3ptTFpVQkFSQUFwdmN2R1BRR1ZyS1AycTNEcjI1QTJUV1ZpemtSaG55UGJrSFhISWVaDQpvM2huUUgrMnVRMnAyMUVtckhWRHhiZVRzRUs0TTZ1bXJYdGMvWmQ0blZWeXR3Ymcvb0YreGREdWFKVnUNCk44TkF3LzJML3krd2FnNkJNSzBDR3NIRWtSN2VIZG9kbW5CaTkydCtqVVIvdTdWM25JclRxa3pjVFlqeA0KUXlUajBKWXRFSFRLVUMzVmY4TFlzdE1kakYzZmZ2T2tkKzEvQXF3anNBNzdQY1BjZFB1Tk43MkNMVXNSDQpacmtYYldTYzRyN2xmODJ3VTBqaFZacFVPdmZhZ2poak55eS9zRnJ5MWFpaXZUbWpXc29uRnRBVnl1L0sNCnB2ajR6MWN5bnhrUDNheVVMWThZdVp1MEU2Uy9uSVpPUnVUMTNjUjcySFNPR1hPR1BmeVorWUU4WHpoeQ0KSVVTTmdtYUZHblQ2Yk5iV3l6WW5GMDlGdmxSU1RNUXVJTGQrNnRtRmg0Y3M2bnpXZjlTNXh6Zmg0OFFCDQpWUzJPc2puWlk3ZE1aUitvekgyOVNWN3FNU3BDc2Q5TTlJUkwzRUlpWCttcGpyWFZkQXZZYXdWekVuWTgNCnJ2c3JObTBuMitnVWI2TXVJaDBLZnJFcnZ3ZlRNK2Frb3M4V0ViNWZHaU5rYVhlYUwrQjhWQzdtcUh6Yg0KOEgzeXRKaks3ZGl0QWcwT1dLb0c4SWorR2tBU2I5WWZCVUtSY0VraXpRN051VnZYWkhXMzY2TUp1MitoDQpFbkt4WHI5cFVVanovamEvTnE2Mm44ZjRCNDBYZGpxeTlQTFhVWlpEMGgvbVpsUmJBYWJGdWphOTlHUloNCklFQzRRdzN3enhkSi8yczZmUmQvb1QzWXQxZk1UTmlxbmZGNTE2a1Y5RHJCd1V3RHZiMTJZUGFaamNRQg0KRUFDOUltWlFkT0gyVFluTnlpZ2pJblFtcFp4SkNJdXJXa09vSGJVLys4NW9DR2hlWDJlRDVxNnpId3pGDQpBYnNiNzRmSDJ4akN3Z1VlRUFBaVJCNjBBdmltbUFjU0NVQjVFd2VqTGVqVUFlKzZlbHlpYnorMTY4c0oNCnZvR3BabHBXREI5MFhlUlFjamd0QlNOSE9VckVzZjhjWVJLZ2xHZW5RSDFsV0VFL3JvZTR1U0h2SXl3Mw0Kd2V3bm5aeXJyQzk5WUlseHFHdHJuMDRlYU40ZGxVK3dvNldDYkZsdER2bS9xRTNhU0pLY2k2eTFTWVdjDQppbTBuOFdHcmlBUnZoQXc2eTJkYzBPNTVkZEdGazAzeHBCcFNDY2NHOUtXeU1VN2haTW1hQlcrYVV1QnENCnAwRml4M25OZnJYblNSZ0hPWjZrcXNqQlJ3UXBhbGt0T0NQM1haV0FpelQxNTdJVnE0NlBVWCtvNncvSQ0KZkw1Si9ZV0hHY2dXNmhVM1o5a2FOUUw5TFhUa1NIZ0ZQNHc5eXhQcjBMakFGVVNsV3BFTnNEWGx5djJqDQpKcGxVK0h6Z2hmbGNubzlpaU9jc2gvczBIV1lxNjdnTFJFdXB4Ny9Uc1ZSY0x4MzVZd3QvemZRUG1vSSsNCjZrdWxyM1RTK0VaWEJVNUEyZGtiZVNMQjU2b1JXcUkvL3krai8zT1NyanJIank5VFRlZ01MU3loZ3FjMA0KcXpNMVNHUEhlZ001Q2htNm1peUtrLzVmQlNCdzFNdWhpQktpcHhjbkRDVWt0R0dYSXhPTVVLL29MRTk2DQorbFUyQzlUL0xIdXpFNjh4OWo5d0N5bkV1QVd1dHFJWWZRZVUrMEFoNWE4amNzSUFvNzEwTHpVYzBNTzgNClVMK1h5N2pCRGJWd2c2YWR6a0N4Y1VFTWVjSEJUQU5MV2kvODVpMlZBUUVRQUkxNUZsZEI2enQvVzIrMw0KUVpoSmNVdy92RWlIdExVK05zUGh6Z3NZNFhUTlhCSTQ1Vk5ySlJ1OEs1bG1sNXhJM0owdnpIUDdaYlloDQo1R1VPOTEyODBBT211T09RUklSTDBPZ3BRbElvclJ3aXJtWUdCZkNQS0N4Ukw4YWxUazdMRjltNHgwaGoNCllqclNkNCtURmZhOFllQlpKbGpzNm9IVHIvaUgrSldydmFvcG92dFZHTUdSTHJROWR5Ym9GelRURXljbA0KUEdiWTZUazFXc0o1U0hwSm5LOUJZNGlra1hTdjVaeU9jVGU5Tm9wR3FNdHlSTk9DZTB3aHEyaVNvRnV6DQpUeElubDd0NVBVWGpGQVQ4ZDZlUVc2U1Y3SGhVZnpOZnNrdW4vSExJbXZzV0JxMWpRbGZ2TjhwdXJwTloNCkk3Uzltc0N6TTlKOXUvK01CaGJRQkpnd3p5c0hmWmhyZDIrSnVyeE9aLzljTFhoV0lNd0ZZVDJjWm95aQ0KUWR2MnFvNTJkbTR0bXR0OFY2S3Y1bkNiOFlVb29Dd1o4RTRuV1IxYWhKNm1rWXkvNkd1eWtBdG05WUxkDQp1d0FWeDBDTXRML2RVUHBycFVMbVJFUUo2WE9jZ1k2UnBrb2g4OG8yY1dEc0p2WWp4K0FGQXQzMjJ0ZXoNCm02QU03UUNSYUpwNVl6R1dXU1lsRGtsVGQxVlhYb1o1ZnNKMzFQMC95YzJReURPMnhZVUNmTEtaY2hCKw0KMVhOKzhhV0RERDhaTkJpSWNBaHBTRVY3YkUrN3R4dmNmQTNxVEd2TkJRQ0dYUUt2WVdIQUZ2TVZjNXcwDQpsQVlYeitjNlJBMVloNXVrKytYMnFDejR4YnJ0TGYzWmRjQ2hONzV5WDJVcFhMTm9mM1JNMkJ2VGlHa1gNCjI4OXBKenBld2NGTUE3MjlkbUQybVkzRUFRLy9kL0JsWDFsRGN1eE10S2t3ZzBnOXZ2Y0lUN1FPSnllNg0KdmUwYnMyd0FlSnFtRlhPVEJMWWNQOS9VdmcvK0ZITXdqRG1CZnJ1Rk1KYXBoeWdKVkFSdHAzOW1ZV2c5DQpXLzdXTDdSNHNlSkFGQkViY0V6OE9FRVl3L0x1SFEvSzJra3AvMmozS0hZTlZ6SGNvNHkwMUtmOFNURVANCldHbEJmRXEzQjVnZk1VSEEwZmRXOFJqUUdWMDc1M1kxQUpMdXkwNjdsb1pVckc4Y1I0OGFUZ0lUaUpHLw0KWTZSekp5NWo0akZ5dTg1UlpjaVh3M1g4eFR3TnlTQmU5RGZQSG9BWWRlMDBSc0J5emYzQW50cDc4UllnDQpvdDVQL2h5eW1NbVV0Qk93UzlVZGdWUklTZ3pnczBPTFhrcHFaUEwzVjJWYmFMdkVmcjdReE9WNWZ4Y1kNCi80NDJHY0RZY0hieHp5eEtnTTA5WVpWUlh5bHkvSWk2YkdvanZEOVNiSjNNTXdmTElhTVNzcXJhUjErMA0KbUNHUlJ2N216N0wyV0NMZld2NmNseE9vM1pFU2QwYUdBcTFUK2syS3FOMUluN3ZXcTc1MFdia3FOa3V0DQpkUjk0RzhnSWdzQnBFaVFYT25ETFlSbTFmek11MzdUdEtKaTBJajNUNCtkVlE2TlFUazNSN2RQRVJzaW4NClhJYVZkaXIrL09vSXA3ZDJWcTZXQjZOcHNQTWl3UnJJOStLRnk5QjB1SUZxbWZLMHNPeXp5MFcxaktKUA0KcUpwUzlKd3hQM1QrYlBaSFhHSk16RDdVaHI1NUpZSmU5bytMcEJBeVhxNlloSE12QjZSc3J6RUVrNVBhDQpwb3FpeUJpcVRIY1NBQlhIdzhuN1V4NlpIenAwaWZCN1VCQkFqNFNFR2xhU2p4VUFaU0hTdzNJQkNQVlkNCkpwdVVmVWhrSUJYVUZJeWxCOFBvQWVycjBRdHRTVTBOVXgwWC94dVJGcDNobXdLanJrZFhCN0ZwUm5KdQ0KTnpScGc3VHVjRk50ckQ2Q3lrUmRsWkgzY1VaTEFBTmk4dmMrcjJDMnRGczhDRHdPQWtPRXBOTExlSmdlDQpDNUcxV0QzeFRaMGdMbG5pOHZ6N0ZOemFYNjdaOHlnUGxEVVF1RmFZaExFdys1N0ZqaWZORDhvWlU4MzMNCnRwNnc4RFdNQ2xBY1JiV1c2cG1SdG9nTDFPN3ZxWUxCbWIxT1BnOHR6aFdqYnhJMHh1a3NsdHRTemt1TQ0KWXBJWnVRcDhvdTlYTmhIQ2srU0s2aEhidUxVUkUvMENRc2YzcXEzZ2N5REw4RTJNS2VBQjAwMUFWQytvDQpETitxdWtnckVZWnhZUjNTUXQweUpzVFNJdHdua0RoNHJ5SHQvamdaS2NLZG5EalpYSTFONW1ucDZTRkYNCjVwWFI5RXBaTURaT2pkamllZGNrOWlKSGVhV0VyblBhcXpqL3Q1NWo5cit3Zjh0U1FYTmkwWHlBWXc4RA0KZElRUXlYdXZnUUpiNkh6TkxvTm5iN2VKUkU2eklzZW12QWk0ZU4zQUFHYmFodW12dVRqTEQxUHpXOFV5DQpUVDlRaUFhaVVwVmhnQ0s1cnVYZkI1TTd6c0NDMll4aUhKQ05QRys0Y0pSTkxic3hZbk5kUUhyQnJwaHQNCk8rc0xwZHZ0ZVkrRC9qeWVkRmxOSlEyYWxtWFZKTDVVUzNzQW1LRXRreGwzampDZndmNW1aT3JoVU9qeA0KellnaEd6TG01MXllNk9KVUJxcldXVHczMmNTTzV5ZS9EazI5MUFoWDA4QXdXa1V0QTBtM0JXeitzcDB2DQo4eEFjeHRNRTBsdEdkR2xxK01vSWFwQ3YrK1JUTkZqWFVTNSt2SHMzWldCZnVIOUt1QWZkNHdKSnE3ak0NCnlaNTVHbFhESVFHR3Q1Tno4UGFUZS96Y0xocjhwaUVNSHptWW40SXZoUVY5dnRaNUVYelgwRzkvS3FiQg0KbEx4U1R5cHpWZXM4QmVTM0xMUERtR3pYeFB0Q0Znd2hQcTMwZkU2d2psT3dCRnBLTm9Ta1BJOWhjUlpVDQpBeDAydGZGd0trb3oxSTZ2Y1lYb0xPVHQ3R1owNlVZaWRyVEorOHhpKy9DeWxRam5vV295YlhOOG55MnINCmdUS1Y5OUVObU1EVXFTS01CZWVCZk1RdC9pam1GQVdwVWE2WkorZ1BhaEgrVFdKUVFFNndlblA0cmRSbw0KaFkxU1g2MUVYV1B5TGlDT1l1NWNiZm94aDdoZDVCZmZPdzMySDdEZXVGbTRLb2dweGI3MWxuWi9xVjVYDQpSdkNUbFhJc3RmeUR6NFpxTXlkZlRFb3FncW1ZYTJyWjBYWGVFL3gxUXFoV0hEUW9jK0ZDMHNZYVZWbXUNCmZIZStBMVJDeGI0c21WREVIY29hSTZnNitXakFRcEJkVVp0dDIybmhqZTd4T0k2Qmk3T0VYVVV6dmNOSg0KUGNoMmcxd1ZMdU5HUlV3bnlkeGZJSjRGUFVqRU5veDQ0MUd4cDNWZStPZXlSazVlUGdNUkJhOUpFNHpJDQoxUUVGdHkxT3ZBZmZEYUNyZUM3QVpkcUU4Qm8wa0l2SEtSNEEzUHlrOW5LSXFNWVdyU2tQNzRtZm85SWINCkFCRTg3a0ovWHBXMFFBUUJ3Vm1qV1JabFZjbFZoWGpjeGR0MldITG81THpBVUhkeWo3Rnc0TEtQY3VhRA0KczJKeEU4UVlubzN3VWxnallTOG0vaVhqNVVxd1locUQ3Vk53Mi9CV2xrWUQyZG9PbmNLdGh5dFgyVU1DDQpjVk1IaE9RdEFuZEoyelZBdUd5VWdwSTEzb1JscHFIMUk3TEFzeWR0Y04vZkpWbz0NCj1EVWloDQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQo=" + } + } + ] + }, + "sizeEstimate": 5439, + "historyId": "1499152", + "internalDate": "1780658404000" + }, + "attachments": {}, + "raw": { + "id": "19e9782fbc7127c4", + "threadId": "19e9782fbc7127c4", + "labelIds": [ + "Label_15", + "SENT", + "INBOX" + ], + "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAApvcvGPQGVrKP2q3Dr25A2TWVizkRhnyPbkHXHIeZ o3hnQH+", + "sizeEstimate": 5439, + "raw": "UmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCUZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KUmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCUZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7DQogYm91bmRhcnk9Ii0tLS1zaW5pa2FlbC0_PV8xLTE3ODA2NTg0MDMyMzkwLjAxNDU0Nzg1OTM0MDI0OTI3Ig0KT3BlbnBncDogaWQ9RThGMDUxN0JBNkQ3REFCNjA4MUM5NkU0QURBQzI3OUM5NTA5MzIwNw0KRnJvbTogRmxvd0NyeXB0IENvbXBhdGliaWxpdHkgPGZsb3djcnlwdC5jb21wYXRpYmlsaXR5QGdtYWlsLmNvbT4NClRvOiBGbG93Q3J5cHQgQ29tcGF0aWJpbGl0eSA8Zmxvd2NyeXB0LmNvbXBhdGliaWxpdHlAZ21haWwuY29tPg0KU3ViamVjdDogZmxvd2NyeXB0LWJyb3dzZXIgIzYyMzQNCkRhdGU6IEZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KTWVzc2FnZS1JZDogPENBS2J1TFRxdD0rNGJjai14WkpoWXhKU3laX0FRaDZVbWl2RFdVZEJKMUt2VW5Cd2ZNUUBtYWlsLmdtYWlsLmNvbT4NCk1JTUUtVmVyc2lvbjogMS4wDQoNCi0tLS0tLXNpbmlrYWVsLT89XzEtMTc4MDY1ODQwMzIzOTAuMDE0NTQ3ODU5MzQwMjQ5MjcNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbg0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJsZQ0KDQotLS0tLUJFR0lOIFBHUCBNRVNTQUdFLS0tLS0NClZlcnNpb246IEZsb3dDcnlwdCBFbWFpbCBFbmNyeXB0aW9uIDguNS4xMw0KQ29tbWVudDogU2VhbWxlc3NseSBzZW5kIGFuZCByZWNlaXZlIGVuY3J5cHRlZCBlbWFpbA0KDQp3Y0ZNQTB0YUwvem1MWlVCQVJBQXB2Y3ZHUFFHVnJLUDJxM0RyMjVBMlRXVml6a1JobnlQYmtIWEhJZVoNCm8zaG5RSCsydVEycDIxRW1ySFZEeGJlVHNFSzRNNnVtclh0Yy9aZDRuVlZ5dHdiZy9vRit4ZER1YUpWdQ0KTjhOQXcvMkwveSt3YWc2Qk1LMENHc0hFa1I3ZUhkb2RtbkJpOTJ0K2pVUi91N1YzbklyVHFremNUWWp4DQpReVRqMEpZdEVIVEtVQzNWZjhMWXN0TWRqRjNmZnZPa2QrMS9BcXdqc0E3N1BjUGNkUHVOTjcyQ0xVc1INClpya1hiV1NjNHI3bGY4MndVMGpoVlpwVU92ZmFnamhqTnl5L3NGcnkxYWlpdlRtaldzb25GdEFWeXUvSw0KcHZqNHoxY3lueGtQM2F5VUxZOFl1WnUwRTZTL25JWk9SdVQxM2NSNzJIU09HWE9HUGZ5WitZRThYemh5DQpJVVNOZ21hRkduVDZiTmJXeXpZbkYwOUZ2bFJTVE1RdUlMZCs2dG1GaDRjczZueldmOVM1eHpmaDQ4UUINClZTMk9zam5aWTdkTVpSK296SDI5U1Y3cU1TcENzZDlNOUlSTDNFSWlYK21wanJYVmRBdllhd1Z6RW5ZOA0KcnZzck5tMG4yK2dVYjZNdUloMEtmckVydndmVE0rYWtvczhXRWI1ZkdpTmthWGVhTCtCOFZDN21xSHpiDQo4SDN5dEpqSzdkaXRBZzBPV0tvRzhJaitHa0FTYjlZZkJVS1JjRWtpelE3TnVWdlhaSFczNjZNSnUyK2gNCkVuS3hYcjlwVVVqei9qYS9OcTYybjhmNEI0MFhkanF5OVBMWFVaWkQwaC9tWmxSYkFhYkZ1amE5OUdSWg0KSUVDNFF3M3d6eGRKLzJzNmZSZC9vVDNZdDFmTVROaXFuZkY1MTZrVjlEckJ3VXdEdmIxMllQYVpqY1FCDQpFQUM5SW1aUWRPSDJUWW5OeWlnakluUW1wWnhKQ0l1cldrT29IYlUvKzg1b0NHaGVYMmVENXE2ekh3ekYNCkFic2I3NGZIMnhqQ3dnVWVFQUFpUkI2MEF2aW1tQWNTQ1VCNUV3ZWpMZWpVQWUrNmVseWlieisxNjhzSg0Kdm9HcFpscFdEQjkwWGVSUWNqZ3RCU05IT1VyRXNmOGNZUktnbEdlblFIMWxXRUUvcm9lNHVTSHZJeXczDQp3ZXdublp5cnJDOTlZSWx4cUd0cm4wNGVhTjRkbFUrd282V0NiRmx0RHZtL3FFM2FTSktjaTZ5MVNZV2MNCmltMG44V0dyaUFSdmhBdzZ5MmRjME81NWRkR0ZrMDN4cEJwU0NjY0c5S1d5TVU3aFpNbWFCVythVXVCcQ0KcDBGaXgzbk5mclhuU1JnSE9aNmtxc2pCUndRcGFsa3RPQ1AzWFpXQWl6VDE1N0lWcTQ2UFVYK282dy9JDQpmTDVKL1lXSEdjZ1c2aFUzWjlrYU5RTDlMWFRrU0hnRlA0dzl5eFByMExqQUZVU2xXcEVOc0RYbHl2MmoNCkpwbFUrSHpnaGZsY25vOWlpT2NzaC9zMEhXWXE2N2dMUkV1cHg3L1RzVlJjTHgzNVl3dC96ZlFQbW9JKw0KNmt1bHIzVFMrRVpYQlU1QTJka2JlU0xCNTZvUldxSS8veStqLzNPU3JqckhqeTlUVGVnTUxTeWhncWMwDQpxek0xU0dQSGVnTTVDaG02bWl5S2svNWZCU0J3MU11aGlCS2lweGNuRENVa3RHR1hJeE9NVUsvb0xFOTYNCitsVTJDOVQvTEh1ekU2OHg5ajl3Q3luRXVBV3V0cUlZZlFlVSswQWg1YThqY3NJQW83MTBMelVjME1POA0KVUwrWHk3akJEYlZ3ZzZhZHprQ3hjVUVNZWNIQlRBTkxXaS84NWkyVkFRRVFBSTE1RmxkQjZ6dC9XMiszDQpRWmhKY1V3L3ZFaUh0TFUrTnNQaHpnc1k0WFROWEJJNDVWTnJKUnU4SzVsbWw1eEkzSjB2ekhQN1piWWgNCjVHVU85MTI4MEFPbXVPT1FSSVJMME9ncFFsSW9yUndpcm1ZR0JmQ1BLQ3hSTDhhbFRrN0xGOW00eDBoag0KWWpyU2Q0K1RGZmE4WWVCWkpsanM2b0hUci9pSCtKV3J2YW9wb3Z0VkdNR1JMclE5ZHlib0Z6VFRFeWNsDQpQR2JZNlRrMVdzSjVTSHBKbks5Qlk0aWtrWFN2NVp5T2NUZTlOb3BHcU10eVJOT0NlMHdocTJpU29GdXoNClR4SW5sN3Q1UFVYakZBVDhkNmVRVzZTVjdIaFVmek5mc2t1bi9ITEltdnNXQnExalFsZnZOOHB1cnBOWg0KSTdTOW1zQ3pNOUo5dS8rTUJoYlFCSmd3enlzSGZaaHJkMitKdXJ4T1ovOWNMWGhXSU13RllUMmNab3lpDQpRZHYycW81MmRtNHRtdHQ4VjZLdjVuQ2I4WVVvb0N3WjhFNG5XUjFhaEo2bWtZeS82R3V5a0F0bTlZTGQNCnV3QVZ4MENNdEwvZFVQcHJwVUxtUkVRSjZYT2NnWTZScGtvaDg4bzJjV0RzSnZZangrQUZBdDMyMnRleg0KbTZBTTdRQ1JhSnA1WXpHV1dTWWxEa2xUZDFWWFhvWjVmc0ozMVAwL3ljMlF5RE8yeFlVQ2ZMS1pjaEIrDQoxWE4rOGFXREREOFpOQmlJY0FocFNFVjdiRSs3dHh2Y2ZBM3FUR3ZOQlFDR1hRS3ZZV0hBRnZNVmM1dzANCmxBWVh6K2M2UkExWWg1dWsrK1gycUN6NHhicnRMZjNaZGNDaE43NXlYMlVwWExOb2YzUk0yQnZUaUdrWA0KMjg5cEp6cGV3Y0ZNQTcyOWRtRDJtWTNFQVEvL2QvQmxYMWxEY3V4TXRLa3dnMGc5dnZjSVQ3UU9KeWU2DQp2ZTBiczJ3QWVKcW1GWE9UQkxZY1A5L1V2Zy8rRkhNd2pEbUJmcnVGTUphcGh5Z0pWQVJ0cDM5bVlXZzkNClcvN1dMN1I0c2VKQUZCRWJjRXo4T0VFWXcvTHVIUS9LMmtrcC8yajNLSFlOVnpIY280eTAxS2Y4U1RFUA0KV0dsQmZFcTNCNWdmTVVIQTBmZFc4UmpRR1YwNzUzWTFBSkx1eTA2N2xvWlVyRzhjUjQ4YVRnSVRpSkcvDQpZNlJ6Snk1ajRqRnl1ODVSWmNpWHczWDh4VHdOeVNCZTlEZlBIb0FZZGUwMFJzQnl6ZjNBbnRwNzhSWWcNCm90NVAvaHl5bU1tVXRCT3dTOVVkZ1ZSSVNnemdzME9MWGtwcVpQTDNWMlZiYUx2RWZyN1F4T1Y1ZnhjWQ0KLzQ0MkdjRFljSGJ4enl4S2dNMDlZWlZSWHlseS9JaTZiR29qdkQ5U2JKM01Nd2ZMSWFNU3NxcmFSMSswDQptQ0dSUnY3bXo3TDJXQ0xmV3Y2Y2x4T28zWkVTZDBhR0FxMVQrazJLcU4xSW43dldxNzUwV2JrcU5rdXQNCmRSOTRHOGdJZ3NCcEVpUVhPbkRMWVJtMWZ6TXUzN1R0S0ppMElqM1Q0K2RWUTZOUVRrM1I3ZFBFUnNpbg0KWElhVmRpcisvT29JcDdkMlZxNldCNk5wc1BNaXdSckk5K0tGeTlCMHVJRnFtZkswc095enkwVzFqS0pQDQpxSnBTOUp3eFAzVCtiUFpIWEdKTXpEN1VocjU1SllKZTlvK0xwQkF5WHE2WWhITXZCNlJzcnpFRWs1UGENCnBvcWl5QmlxVEhjU0FCWEh3OG43VXg2Wkh6cDBpZkI3VUJCQWo0U0VHbGFTanhVQVpTSFN3M0lCQ1BWWQ0KSnB1VWZVaGtJQlhVRkl5bEI4UG9BZXJyMFF0dFNVME5VeDBYL3h1UkZwM2htd0tqcmtkWEI3RnBSbkp1DQpOelJwZzdUdWNGTnRyRDZDeWtSZGxaSDNjVVpMQUFOaTh2YytyMkMydEZzOENEd09Ba09FcE5MTGVKZ2UNCkM1RzFXRDN4VFowZ0xsbmk4dno3Rk56YVg2N1o4eWdQbERVUXVGYVloTEV3KzU3RmppZk5EOG9aVTgzMw0KdHA2dzhEV01DbEFjUmJXVzZwbVJ0b2dMMU83dnFZTEJtYjFPUGc4dHpoV2pieEkweHVrc2x0dFN6a3VNDQpZcEladVFwOG91OVhOaEhDaytTSzZoSGJ1TFVSRS8wQ1FzZjNxcTNnY3lETDhFMk1LZUFCMDAxQVZDK28NCkROK3F1a2dyRVlaeFlSM1NRdDB5SnNUU0l0d25rRGg0cnlIdC9qZ1pLY0tkbkRqWlhJMU41bW5wNlNGRg0KNXBYUjlFcFpNRFpPamRqaWVkY2s5aUpIZWFXRXJuUGFxemovdDU1ajlyK3dmOHRTUVhOaTBYeUFZdzhEDQpkSVFReVh1dmdRSmI2SHpOTG9ObmI3ZUpSRTZ6SXNlbXZBaTRlTjNBQUdiYWh1bXZ1VGpMRDFQelc4VXkNClRUOVFpQWFpVXBWaGdDSzVydVhmQjVNN3pzQ0MyWXhpSEpDTlBHKzRjSlJOTGJzeFluTmRRSHJCcnBodA0KTytzTHBkdnRlWStEL2p5ZWRGbE5KUTJhbG1YVkpMNVVTM3NBbUtFdGt4bDNqakNmd2Y1bVpPcmhVT2p4DQp6WWdoR3pMbTUxeWU2T0pVQnFyV1dUdzMyY1NPNXllL0RrMjkxQWhYMDhBd1drVXRBMG0zQld6K3NwMHYNCjh4QWN4dE1FMGx0R2RHbHErTW9JYXBDdisrUlRORmpYVVM1K3ZIczNaV0JmdUg5S3VBZmQ0d0pKcTdqTQ0KeVo1NUdsWERJUUdHdDVOejhQYVRlL3pjTGhyOHBpRU1Iem1ZbjRJdmhRVjl2dFo1RVh6WDBHOS9LcWJCDQpsTHhTVHlwelZlczhCZVMzTExQRG1Helh4UHRDRmd3aFBxMzBmRTZ3amxPd0JGcEtOb1NrUEk5aGNSWlUNCkF4MDJ0ZkZ3S2tvejFJNnZjWVhvTE9UdDdHWjA2VVlpZHJUSis4eGkrL0N5bFFqbm9Xb3liWE44bnkycg0KZ1RLVjk5RU5tTURVcVNLTUJlZUJmTVF0L2lqbUZBV3BVYTZaSitnUGFoSCtUV0pRUUU2d2VuUDRyZFJvDQpoWTFTWDYxRVhXUHlMaUNPWXU1Y2Jmb3hoN2hkNUJmZk93MzJIN0RldUZtNEtvZ3B4YjcxbG5aL3FWNVgNClJ2Q1RsWElzdGZ5RHo0WnFNeWRmVEVvcWdxbVlhMnJaMFhYZUUveDFRcWhXSERRb2MrRkMwc1lhVlZtdQ0KZkhlK0ExUkN4YjRzbVZERUhjb2FJNmc2K1dqQVFwQmRVWnR0MjJuaGplN3hPSTZCaTdPRVhVVXp2Y05KDQpQY2gyZzF3Vkx1TkdSVXdueWR4ZklKNEZQVWpFTm94NDQxR3hwM1ZlK09leVJrNWVQZ01SQmE5SkU0ekkNCjFRRUZ0eTFPdkFmZkRhQ3JlQzdBWmRxRThCbzBrSXZIS1I0QTNQeWs5bktJcU1ZV3JTa1A3NG1mbzlJYg0KQUJFODdrSi9YcFcwUUFRQndWbWpXUlpsVmNsVmhYamN4ZHQyV0hMbzVMekFVSGR5ajdGdzRMS1BjdWFEDQpzMkp4RThRWW5vM3dVbGdqWVM4bS9pWGo1VXF3WWhxRDdWTncyL0JXbGtZRDJkb09uY0t0aHl0WDJVTUMNCmNWTUhoT1F0QW5kSjJ6VkF1R3lVZ3BJMTNvUmxwcUgxSTdMQXN5ZHRjTi9mSlZvPTNEDQo9M0REVWloDQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQoNCi0tLS0tLXNpbmlrYWVsLT89XzEtMTc4MDY1ODQwMzIzOTAuMDE0NTQ3ODU5MzQwMjQ5MjctLQ0K", + "historyId": "1499152", + "internalDate": "1780658404000" + } +} \ No newline at end of file diff --git a/test/source/tests/decrypt.ts b/test/source/tests/decrypt.ts index bb4d1634480..0f061c9f972 100644 --- a/test/source/tests/decrypt.ts +++ b/test/source/tests/decrypt.ts @@ -2260,6 +2260,28 @@ XZ8r4OC6sguP/yozWlkG+7dDxsgKQVBENeG6Lw== }) ); + test( + `decrypt - css sanitizer must not allow UI redress or url() leakage`, + testWithBrowser(async (t, browser) => { + const threadId = '19e9782fbc7127c4'; + const { acctEmail } = await BrowserRecipe.setupCommonAcctWithAttester(t, browser, 'compatibility'); + const inboxPage = await browser.newExtensionPage(t, `chrome/settings/inbox/inbox.htm?acctEmail=${acctEmail}&threadId=${threadId}`); + await inboxPage.waitForSelTestState('ready'); + await inboxPage.waitAll('iframe'); + const pgpBlock = await inboxPage.getFrame(['pgp_block.htm']); + await pgpBlock.waitForContent('@pgp-block-content', 'sanitization test payload'); + expect(await pgpBlock.isElementPresent('[style*="position"]')).to.equal(false); + expect(await pgpBlock.isElementPresent('[style*="z-index"]')).to.equal(false); + const hasUrlCss = await pgpBlock.target.evaluate(() => + [...document.querySelectorAll('*')].some(el => (el.getAttribute('style') || '').includes('url(')) + ); + expect(hasUrlCss).to.equal(false); + expect(await pgpBlock.isElementPresent('[style*="transform"]')).to.equal(false); + expect(await pgpBlock.isElementPresent('[style*="opacity"]')).to.equal(false); + await inboxPage.close(); + }) + ); + test( 'settings - test for warning modal when downloading an executable file', testWithBrowser(async (t, browser) => { From 1f978d0891ed6b768f66c06ded5a6d0c1a3dc262 Mon Sep 17 00:00:00 2001 From: martgil Date: Sat, 6 Jun 2026 13:17:07 +0800 Subject: [PATCH 08/10] feat: strip css comments --- extension/js/common/platform/xss.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 7a901aa78f6..41317353a8f 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -283,6 +283,7 @@ export class Xss { */ private static sanitizeCssStyle = (css: string): string => { return css + .replace(/\/\*[\s\S]*?\*\//g, '') .split(';') .map(part => part.trim()) .filter(part => { From b4d9adbc1c22efd287784ba0b986a7a07dbf15b4 Mon Sep 17 00:00:00 2001 From: martgil Date: Sat, 6 Jun 2026 19:59:49 +0800 Subject: [PATCH 09/10] test: update test with css comment removal test --- .../message-export-19e9782fbc7127c4.json | 90 ------------------- .../message-export-19e9cc77867bba39.json | 90 +++++++++++++++++++ test/source/tests/decrypt.ts | 31 +++++-- 3 files changed, 112 insertions(+), 99 deletions(-) delete mode 100644 test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json create mode 100644 test/source/mock/google/exported-messages/message-export-19e9cc77867bba39.json diff --git a/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json b/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json deleted file mode 100644 index c8017132a2b..00000000000 --- a/test/source/mock/google/exported-messages/message-export-19e9782fbc7127c4.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "acctEmail": "flowcrypt.compatibility@gmail.com", - "full": { - "id": "19e9782fbc7127c4", - "threadId": "19e9782fbc7127c4", - "labelIds": [ - "Label_15", - "SENT", - "INBOX" - ], - "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAApvcvGPQGVrKP2q3Dr25A2TWVizkRhnyPbkHXHIeZ o3hnQH+", - "payload": { - "partId": "", - "mimeType": "multipart/mixed", - "filename": "", - "headers": [ - { - "name": "Content-Type", - "value": "multipart/mixed; boundary=\"----sinikael-?=_1-17806584032390.01454785934024927\"" - }, - { - "name": "Openpgp", - "value": "id=E8F0517BA6D7DAB6081C96E4ADAC279C95093207" - }, - { - "name": "From", - "value": "sender@domain.com" - }, - { - "name": "To", - "value": "flowcrypt.compatibility@gmail.com" - }, - { - "name": "Subject", - "value": "flowcrypt-browser #6234" - }, - { - "name": "Date", - "value": "Fri, 5 Jun 2026 04:20:04 -0700" - }, - { - "name": "MIME-Version", - "value": "1.0" - } - ], - "body": { - "size": 0 - }, - "parts": [ - { - "partId": "0", - "mimeType": "text/plain", - "filename": "", - "headers": [ - { - "name": "Content-Type", - "value": "text/plain" - }, - { - "name": "Content-Transfer-Encoding", - "value": "quoted-printable" - } - ], - "body": { - "size": 4553, - "data": "LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBGbG93Q3J5cHQgRW1haWwgRW5jcnlwdGlvbiA4LjUuMTMNCkNvbW1lbnQ6IFNlYW1sZXNzbHkgc2VuZCBhbmQgcmVjZWl2ZSBlbmNyeXB0ZWQgZW1haWwNCg0Kd2NGTUEwdGFML3ptTFpVQkFSQUFwdmN2R1BRR1ZyS1AycTNEcjI1QTJUV1ZpemtSaG55UGJrSFhISWVaDQpvM2huUUgrMnVRMnAyMUVtckhWRHhiZVRzRUs0TTZ1bXJYdGMvWmQ0blZWeXR3Ymcvb0YreGREdWFKVnUNCk44TkF3LzJML3krd2FnNkJNSzBDR3NIRWtSN2VIZG9kbW5CaTkydCtqVVIvdTdWM25JclRxa3pjVFlqeA0KUXlUajBKWXRFSFRLVUMzVmY4TFlzdE1kakYzZmZ2T2tkKzEvQXF3anNBNzdQY1BjZFB1Tk43MkNMVXNSDQpacmtYYldTYzRyN2xmODJ3VTBqaFZacFVPdmZhZ2poak55eS9zRnJ5MWFpaXZUbWpXc29uRnRBVnl1L0sNCnB2ajR6MWN5bnhrUDNheVVMWThZdVp1MEU2Uy9uSVpPUnVUMTNjUjcySFNPR1hPR1BmeVorWUU4WHpoeQ0KSVVTTmdtYUZHblQ2Yk5iV3l6WW5GMDlGdmxSU1RNUXVJTGQrNnRtRmg0Y3M2bnpXZjlTNXh6Zmg0OFFCDQpWUzJPc2puWlk3ZE1aUitvekgyOVNWN3FNU3BDc2Q5TTlJUkwzRUlpWCttcGpyWFZkQXZZYXdWekVuWTgNCnJ2c3JObTBuMitnVWI2TXVJaDBLZnJFcnZ3ZlRNK2Frb3M4V0ViNWZHaU5rYVhlYUwrQjhWQzdtcUh6Yg0KOEgzeXRKaks3ZGl0QWcwT1dLb0c4SWorR2tBU2I5WWZCVUtSY0VraXpRN051VnZYWkhXMzY2TUp1MitoDQpFbkt4WHI5cFVVanovamEvTnE2Mm44ZjRCNDBYZGpxeTlQTFhVWlpEMGgvbVpsUmJBYWJGdWphOTlHUloNCklFQzRRdzN3enhkSi8yczZmUmQvb1QzWXQxZk1UTmlxbmZGNTE2a1Y5RHJCd1V3RHZiMTJZUGFaamNRQg0KRUFDOUltWlFkT0gyVFluTnlpZ2pJblFtcFp4SkNJdXJXa09vSGJVLys4NW9DR2hlWDJlRDVxNnpId3pGDQpBYnNiNzRmSDJ4akN3Z1VlRUFBaVJCNjBBdmltbUFjU0NVQjVFd2VqTGVqVUFlKzZlbHlpYnorMTY4c0oNCnZvR3BabHBXREI5MFhlUlFjamd0QlNOSE9VckVzZjhjWVJLZ2xHZW5RSDFsV0VFL3JvZTR1U0h2SXl3Mw0Kd2V3bm5aeXJyQzk5WUlseHFHdHJuMDRlYU40ZGxVK3dvNldDYkZsdER2bS9xRTNhU0pLY2k2eTFTWVdjDQppbTBuOFdHcmlBUnZoQXc2eTJkYzBPNTVkZEdGazAzeHBCcFNDY2NHOUtXeU1VN2haTW1hQlcrYVV1QnENCnAwRml4M25OZnJYblNSZ0hPWjZrcXNqQlJ3UXBhbGt0T0NQM1haV0FpelQxNTdJVnE0NlBVWCtvNncvSQ0KZkw1Si9ZV0hHY2dXNmhVM1o5a2FOUUw5TFhUa1NIZ0ZQNHc5eXhQcjBMakFGVVNsV3BFTnNEWGx5djJqDQpKcGxVK0h6Z2hmbGNubzlpaU9jc2gvczBIV1lxNjdnTFJFdXB4Ny9Uc1ZSY0x4MzVZd3QvemZRUG1vSSsNCjZrdWxyM1RTK0VaWEJVNUEyZGtiZVNMQjU2b1JXcUkvL3krai8zT1NyanJIank5VFRlZ01MU3loZ3FjMA0KcXpNMVNHUEhlZ001Q2htNm1peUtrLzVmQlNCdzFNdWhpQktpcHhjbkRDVWt0R0dYSXhPTVVLL29MRTk2DQorbFUyQzlUL0xIdXpFNjh4OWo5d0N5bkV1QVd1dHFJWWZRZVUrMEFoNWE4amNzSUFvNzEwTHpVYzBNTzgNClVMK1h5N2pCRGJWd2c2YWR6a0N4Y1VFTWVjSEJUQU5MV2kvODVpMlZBUUVRQUkxNUZsZEI2enQvVzIrMw0KUVpoSmNVdy92RWlIdExVK05zUGh6Z3NZNFhUTlhCSTQ1Vk5ySlJ1OEs1bG1sNXhJM0owdnpIUDdaYlloDQo1R1VPOTEyODBBT211T09RUklSTDBPZ3BRbElvclJ3aXJtWUdCZkNQS0N4Ukw4YWxUazdMRjltNHgwaGoNCllqclNkNCtURmZhOFllQlpKbGpzNm9IVHIvaUgrSldydmFvcG92dFZHTUdSTHJROWR5Ym9GelRURXljbA0KUEdiWTZUazFXc0o1U0hwSm5LOUJZNGlra1hTdjVaeU9jVGU5Tm9wR3FNdHlSTk9DZTB3aHEyaVNvRnV6DQpUeElubDd0NVBVWGpGQVQ4ZDZlUVc2U1Y3SGhVZnpOZnNrdW4vSExJbXZzV0JxMWpRbGZ2TjhwdXJwTloNCkk3Uzltc0N6TTlKOXUvK01CaGJRQkpnd3p5c0hmWmhyZDIrSnVyeE9aLzljTFhoV0lNd0ZZVDJjWm95aQ0KUWR2MnFvNTJkbTR0bXR0OFY2S3Y1bkNiOFlVb29Dd1o4RTRuV1IxYWhKNm1rWXkvNkd1eWtBdG05WUxkDQp1d0FWeDBDTXRML2RVUHBycFVMbVJFUUo2WE9jZ1k2UnBrb2g4OG8yY1dEc0p2WWp4K0FGQXQzMjJ0ZXoNCm02QU03UUNSYUpwNVl6R1dXU1lsRGtsVGQxVlhYb1o1ZnNKMzFQMC95YzJReURPMnhZVUNmTEtaY2hCKw0KMVhOKzhhV0RERDhaTkJpSWNBaHBTRVY3YkUrN3R4dmNmQTNxVEd2TkJRQ0dYUUt2WVdIQUZ2TVZjNXcwDQpsQVlYeitjNlJBMVloNXVrKytYMnFDejR4YnJ0TGYzWmRjQ2hONzV5WDJVcFhMTm9mM1JNMkJ2VGlHa1gNCjI4OXBKenBld2NGTUE3MjlkbUQybVkzRUFRLy9kL0JsWDFsRGN1eE10S2t3ZzBnOXZ2Y0lUN1FPSnllNg0KdmUwYnMyd0FlSnFtRlhPVEJMWWNQOS9VdmcvK0ZITXdqRG1CZnJ1Rk1KYXBoeWdKVkFSdHAzOW1ZV2c5DQpXLzdXTDdSNHNlSkFGQkViY0V6OE9FRVl3L0x1SFEvSzJra3AvMmozS0hZTlZ6SGNvNHkwMUtmOFNURVANCldHbEJmRXEzQjVnZk1VSEEwZmRXOFJqUUdWMDc1M1kxQUpMdXkwNjdsb1pVckc4Y1I0OGFUZ0lUaUpHLw0KWTZSekp5NWo0akZ5dTg1UlpjaVh3M1g4eFR3TnlTQmU5RGZQSG9BWWRlMDBSc0J5emYzQW50cDc4UllnDQpvdDVQL2h5eW1NbVV0Qk93UzlVZGdWUklTZ3pnczBPTFhrcHFaUEwzVjJWYmFMdkVmcjdReE9WNWZ4Y1kNCi80NDJHY0RZY0hieHp5eEtnTTA5WVpWUlh5bHkvSWk2YkdvanZEOVNiSjNNTXdmTElhTVNzcXJhUjErMA0KbUNHUlJ2N216N0wyV0NMZld2NmNseE9vM1pFU2QwYUdBcTFUK2syS3FOMUluN3ZXcTc1MFdia3FOa3V0DQpkUjk0RzhnSWdzQnBFaVFYT25ETFlSbTFmek11MzdUdEtKaTBJajNUNCtkVlE2TlFUazNSN2RQRVJzaW4NClhJYVZkaXIrL09vSXA3ZDJWcTZXQjZOcHNQTWl3UnJJOStLRnk5QjB1SUZxbWZLMHNPeXp5MFcxaktKUA0KcUpwUzlKd3hQM1QrYlBaSFhHSk16RDdVaHI1NUpZSmU5bytMcEJBeVhxNlloSE12QjZSc3J6RUVrNVBhDQpwb3FpeUJpcVRIY1NBQlhIdzhuN1V4NlpIenAwaWZCN1VCQkFqNFNFR2xhU2p4VUFaU0hTdzNJQkNQVlkNCkpwdVVmVWhrSUJYVUZJeWxCOFBvQWVycjBRdHRTVTBOVXgwWC94dVJGcDNobXdLanJrZFhCN0ZwUm5KdQ0KTnpScGc3VHVjRk50ckQ2Q3lrUmRsWkgzY1VaTEFBTmk4dmMrcjJDMnRGczhDRHdPQWtPRXBOTExlSmdlDQpDNUcxV0QzeFRaMGdMbG5pOHZ6N0ZOemFYNjdaOHlnUGxEVVF1RmFZaExFdys1N0ZqaWZORDhvWlU4MzMNCnRwNnc4RFdNQ2xBY1JiV1c2cG1SdG9nTDFPN3ZxWUxCbWIxT1BnOHR6aFdqYnhJMHh1a3NsdHRTemt1TQ0KWXBJWnVRcDhvdTlYTmhIQ2srU0s2aEhidUxVUkUvMENRc2YzcXEzZ2N5REw4RTJNS2VBQjAwMUFWQytvDQpETitxdWtnckVZWnhZUjNTUXQweUpzVFNJdHdua0RoNHJ5SHQvamdaS2NLZG5EalpYSTFONW1ucDZTRkYNCjVwWFI5RXBaTURaT2pkamllZGNrOWlKSGVhV0VyblBhcXpqL3Q1NWo5cit3Zjh0U1FYTmkwWHlBWXc4RA0KZElRUXlYdXZnUUpiNkh6TkxvTm5iN2VKUkU2eklzZW12QWk0ZU4zQUFHYmFodW12dVRqTEQxUHpXOFV5DQpUVDlRaUFhaVVwVmhnQ0s1cnVYZkI1TTd6c0NDMll4aUhKQ05QRys0Y0pSTkxic3hZbk5kUUhyQnJwaHQNCk8rc0xwZHZ0ZVkrRC9qeWVkRmxOSlEyYWxtWFZKTDVVUzNzQW1LRXRreGwzampDZndmNW1aT3JoVU9qeA0KellnaEd6TG01MXllNk9KVUJxcldXVHczMmNTTzV5ZS9EazI5MUFoWDA4QXdXa1V0QTBtM0JXeitzcDB2DQo4eEFjeHRNRTBsdEdkR2xxK01vSWFwQ3YrK1JUTkZqWFVTNSt2SHMzWldCZnVIOUt1QWZkNHdKSnE3ak0NCnlaNTVHbFhESVFHR3Q1Tno4UGFUZS96Y0xocjhwaUVNSHptWW40SXZoUVY5dnRaNUVYelgwRzkvS3FiQg0KbEx4U1R5cHpWZXM4QmVTM0xMUERtR3pYeFB0Q0Znd2hQcTMwZkU2d2psT3dCRnBLTm9Ta1BJOWhjUlpVDQpBeDAydGZGd0trb3oxSTZ2Y1lYb0xPVHQ3R1owNlVZaWRyVEorOHhpKy9DeWxRam5vV295YlhOOG55MnINCmdUS1Y5OUVObU1EVXFTS01CZWVCZk1RdC9pam1GQVdwVWE2WkorZ1BhaEgrVFdKUVFFNndlblA0cmRSbw0KaFkxU1g2MUVYV1B5TGlDT1l1NWNiZm94aDdoZDVCZmZPdzMySDdEZXVGbTRLb2dweGI3MWxuWi9xVjVYDQpSdkNUbFhJc3RmeUR6NFpxTXlkZlRFb3FncW1ZYTJyWjBYWGVFL3gxUXFoV0hEUW9jK0ZDMHNZYVZWbXUNCmZIZStBMVJDeGI0c21WREVIY29hSTZnNitXakFRcEJkVVp0dDIybmhqZTd4T0k2Qmk3T0VYVVV6dmNOSg0KUGNoMmcxd1ZMdU5HUlV3bnlkeGZJSjRGUFVqRU5veDQ0MUd4cDNWZStPZXlSazVlUGdNUkJhOUpFNHpJDQoxUUVGdHkxT3ZBZmZEYUNyZUM3QVpkcUU4Qm8wa0l2SEtSNEEzUHlrOW5LSXFNWVdyU2tQNzRtZm85SWINCkFCRTg3a0ovWHBXMFFBUUJ3Vm1qV1JabFZjbFZoWGpjeGR0MldITG81THpBVUhkeWo3Rnc0TEtQY3VhRA0KczJKeEU4UVlubzN3VWxnallTOG0vaVhqNVVxd1locUQ3Vk53Mi9CV2xrWUQyZG9PbmNLdGh5dFgyVU1DDQpjVk1IaE9RdEFuZEoyelZBdUd5VWdwSTEzb1JscHFIMUk3TEFzeWR0Y04vZkpWbz0NCj1EVWloDQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQo=" - } - } - ] - }, - "sizeEstimate": 5439, - "historyId": "1499152", - "internalDate": "1780658404000" - }, - "attachments": {}, - "raw": { - "id": "19e9782fbc7127c4", - "threadId": "19e9782fbc7127c4", - "labelIds": [ - "Label_15", - "SENT", - "INBOX" - ], - "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAApvcvGPQGVrKP2q3Dr25A2TWVizkRhnyPbkHXHIeZ o3hnQH+", - "sizeEstimate": 5439, - "raw": "UmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCUZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KUmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCUZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7DQogYm91bmRhcnk9Ii0tLS1zaW5pa2FlbC0_PV8xLTE3ODA2NTg0MDMyMzkwLjAxNDU0Nzg1OTM0MDI0OTI3Ig0KT3BlbnBncDogaWQ9RThGMDUxN0JBNkQ3REFCNjA4MUM5NkU0QURBQzI3OUM5NTA5MzIwNw0KRnJvbTogRmxvd0NyeXB0IENvbXBhdGliaWxpdHkgPGZsb3djcnlwdC5jb21wYXRpYmlsaXR5QGdtYWlsLmNvbT4NClRvOiBGbG93Q3J5cHQgQ29tcGF0aWJpbGl0eSA8Zmxvd2NyeXB0LmNvbXBhdGliaWxpdHlAZ21haWwuY29tPg0KU3ViamVjdDogZmxvd2NyeXB0LWJyb3dzZXIgIzYyMzQNCkRhdGU6IEZyaSwgNSBKdW4gMjAyNiAwNDoyMDowNCAtMDcwMA0KTWVzc2FnZS1JZDogPENBS2J1TFRxdD0rNGJjai14WkpoWXhKU3laX0FRaDZVbWl2RFdVZEJKMUt2VW5Cd2ZNUUBtYWlsLmdtYWlsLmNvbT4NCk1JTUUtVmVyc2lvbjogMS4wDQoNCi0tLS0tLXNpbmlrYWVsLT89XzEtMTc4MDY1ODQwMzIzOTAuMDE0NTQ3ODU5MzQwMjQ5MjcNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbg0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJsZQ0KDQotLS0tLUJFR0lOIFBHUCBNRVNTQUdFLS0tLS0NClZlcnNpb246IEZsb3dDcnlwdCBFbWFpbCBFbmNyeXB0aW9uIDguNS4xMw0KQ29tbWVudDogU2VhbWxlc3NseSBzZW5kIGFuZCByZWNlaXZlIGVuY3J5cHRlZCBlbWFpbA0KDQp3Y0ZNQTB0YUwvem1MWlVCQVJBQXB2Y3ZHUFFHVnJLUDJxM0RyMjVBMlRXVml6a1JobnlQYmtIWEhJZVoNCm8zaG5RSCsydVEycDIxRW1ySFZEeGJlVHNFSzRNNnVtclh0Yy9aZDRuVlZ5dHdiZy9vRit4ZER1YUpWdQ0KTjhOQXcvMkwveSt3YWc2Qk1LMENHc0hFa1I3ZUhkb2RtbkJpOTJ0K2pVUi91N1YzbklyVHFremNUWWp4DQpReVRqMEpZdEVIVEtVQzNWZjhMWXN0TWRqRjNmZnZPa2QrMS9BcXdqc0E3N1BjUGNkUHVOTjcyQ0xVc1INClpya1hiV1NjNHI3bGY4MndVMGpoVlpwVU92ZmFnamhqTnl5L3NGcnkxYWlpdlRtaldzb25GdEFWeXUvSw0KcHZqNHoxY3lueGtQM2F5VUxZOFl1WnUwRTZTL25JWk9SdVQxM2NSNzJIU09HWE9HUGZ5WitZRThYemh5DQpJVVNOZ21hRkduVDZiTmJXeXpZbkYwOUZ2bFJTVE1RdUlMZCs2dG1GaDRjczZueldmOVM1eHpmaDQ4UUINClZTMk9zam5aWTdkTVpSK296SDI5U1Y3cU1TcENzZDlNOUlSTDNFSWlYK21wanJYVmRBdllhd1Z6RW5ZOA0KcnZzck5tMG4yK2dVYjZNdUloMEtmckVydndmVE0rYWtvczhXRWI1ZkdpTmthWGVhTCtCOFZDN21xSHpiDQo4SDN5dEpqSzdkaXRBZzBPV0tvRzhJaitHa0FTYjlZZkJVS1JjRWtpelE3TnVWdlhaSFczNjZNSnUyK2gNCkVuS3hYcjlwVVVqei9qYS9OcTYybjhmNEI0MFhkanF5OVBMWFVaWkQwaC9tWmxSYkFhYkZ1amE5OUdSWg0KSUVDNFF3M3d6eGRKLzJzNmZSZC9vVDNZdDFmTVROaXFuZkY1MTZrVjlEckJ3VXdEdmIxMllQYVpqY1FCDQpFQUM5SW1aUWRPSDJUWW5OeWlnakluUW1wWnhKQ0l1cldrT29IYlUvKzg1b0NHaGVYMmVENXE2ekh3ekYNCkFic2I3NGZIMnhqQ3dnVWVFQUFpUkI2MEF2aW1tQWNTQ1VCNUV3ZWpMZWpVQWUrNmVseWlieisxNjhzSg0Kdm9HcFpscFdEQjkwWGVSUWNqZ3RCU05IT1VyRXNmOGNZUktnbEdlblFIMWxXRUUvcm9lNHVTSHZJeXczDQp3ZXdublp5cnJDOTlZSWx4cUd0cm4wNGVhTjRkbFUrd282V0NiRmx0RHZtL3FFM2FTSktjaTZ5MVNZV2MNCmltMG44V0dyaUFSdmhBdzZ5MmRjME81NWRkR0ZrMDN4cEJwU0NjY0c5S1d5TVU3aFpNbWFCVythVXVCcQ0KcDBGaXgzbk5mclhuU1JnSE9aNmtxc2pCUndRcGFsa3RPQ1AzWFpXQWl6VDE1N0lWcTQ2UFVYK282dy9JDQpmTDVKL1lXSEdjZ1c2aFUzWjlrYU5RTDlMWFRrU0hnRlA0dzl5eFByMExqQUZVU2xXcEVOc0RYbHl2MmoNCkpwbFUrSHpnaGZsY25vOWlpT2NzaC9zMEhXWXE2N2dMUkV1cHg3L1RzVlJjTHgzNVl3dC96ZlFQbW9JKw0KNmt1bHIzVFMrRVpYQlU1QTJka2JlU0xCNTZvUldxSS8veStqLzNPU3JqckhqeTlUVGVnTUxTeWhncWMwDQpxek0xU0dQSGVnTTVDaG02bWl5S2svNWZCU0J3MU11aGlCS2lweGNuRENVa3RHR1hJeE9NVUsvb0xFOTYNCitsVTJDOVQvTEh1ekU2OHg5ajl3Q3luRXVBV3V0cUlZZlFlVSswQWg1YThqY3NJQW83MTBMelVjME1POA0KVUwrWHk3akJEYlZ3ZzZhZHprQ3hjVUVNZWNIQlRBTkxXaS84NWkyVkFRRVFBSTE1RmxkQjZ6dC9XMiszDQpRWmhKY1V3L3ZFaUh0TFUrTnNQaHpnc1k0WFROWEJJNDVWTnJKUnU4SzVsbWw1eEkzSjB2ekhQN1piWWgNCjVHVU85MTI4MEFPbXVPT1FSSVJMME9ncFFsSW9yUndpcm1ZR0JmQ1BLQ3hSTDhhbFRrN0xGOW00eDBoag0KWWpyU2Q0K1RGZmE4WWVCWkpsanM2b0hUci9pSCtKV3J2YW9wb3Z0VkdNR1JMclE5ZHlib0Z6VFRFeWNsDQpQR2JZNlRrMVdzSjVTSHBKbks5Qlk0aWtrWFN2NVp5T2NUZTlOb3BHcU10eVJOT0NlMHdocTJpU29GdXoNClR4SW5sN3Q1UFVYakZBVDhkNmVRVzZTVjdIaFVmek5mc2t1bi9ITEltdnNXQnExalFsZnZOOHB1cnBOWg0KSTdTOW1zQ3pNOUo5dS8rTUJoYlFCSmd3enlzSGZaaHJkMitKdXJ4T1ovOWNMWGhXSU13RllUMmNab3lpDQpRZHYycW81MmRtNHRtdHQ4VjZLdjVuQ2I4WVVvb0N3WjhFNG5XUjFhaEo2bWtZeS82R3V5a0F0bTlZTGQNCnV3QVZ4MENNdEwvZFVQcHJwVUxtUkVRSjZYT2NnWTZScGtvaDg4bzJjV0RzSnZZangrQUZBdDMyMnRleg0KbTZBTTdRQ1JhSnA1WXpHV1dTWWxEa2xUZDFWWFhvWjVmc0ozMVAwL3ljMlF5RE8yeFlVQ2ZMS1pjaEIrDQoxWE4rOGFXREREOFpOQmlJY0FocFNFVjdiRSs3dHh2Y2ZBM3FUR3ZOQlFDR1hRS3ZZV0hBRnZNVmM1dzANCmxBWVh6K2M2UkExWWg1dWsrK1gycUN6NHhicnRMZjNaZGNDaE43NXlYMlVwWExOb2YzUk0yQnZUaUdrWA0KMjg5cEp6cGV3Y0ZNQTcyOWRtRDJtWTNFQVEvL2QvQmxYMWxEY3V4TXRLa3dnMGc5dnZjSVQ3UU9KeWU2DQp2ZTBiczJ3QWVKcW1GWE9UQkxZY1A5L1V2Zy8rRkhNd2pEbUJmcnVGTUphcGh5Z0pWQVJ0cDM5bVlXZzkNClcvN1dMN1I0c2VKQUZCRWJjRXo4T0VFWXcvTHVIUS9LMmtrcC8yajNLSFlOVnpIY280eTAxS2Y4U1RFUA0KV0dsQmZFcTNCNWdmTVVIQTBmZFc4UmpRR1YwNzUzWTFBSkx1eTA2N2xvWlVyRzhjUjQ4YVRnSVRpSkcvDQpZNlJ6Snk1ajRqRnl1ODVSWmNpWHczWDh4VHdOeVNCZTlEZlBIb0FZZGUwMFJzQnl6ZjNBbnRwNzhSWWcNCm90NVAvaHl5bU1tVXRCT3dTOVVkZ1ZSSVNnemdzME9MWGtwcVpQTDNWMlZiYUx2RWZyN1F4T1Y1ZnhjWQ0KLzQ0MkdjRFljSGJ4enl4S2dNMDlZWlZSWHlseS9JaTZiR29qdkQ5U2JKM01Nd2ZMSWFNU3NxcmFSMSswDQptQ0dSUnY3bXo3TDJXQ0xmV3Y2Y2x4T28zWkVTZDBhR0FxMVQrazJLcU4xSW43dldxNzUwV2JrcU5rdXQNCmRSOTRHOGdJZ3NCcEVpUVhPbkRMWVJtMWZ6TXUzN1R0S0ppMElqM1Q0K2RWUTZOUVRrM1I3ZFBFUnNpbg0KWElhVmRpcisvT29JcDdkMlZxNldCNk5wc1BNaXdSckk5K0tGeTlCMHVJRnFtZkswc095enkwVzFqS0pQDQpxSnBTOUp3eFAzVCtiUFpIWEdKTXpEN1VocjU1SllKZTlvK0xwQkF5WHE2WWhITXZCNlJzcnpFRWs1UGENCnBvcWl5QmlxVEhjU0FCWEh3OG43VXg2Wkh6cDBpZkI3VUJCQWo0U0VHbGFTanhVQVpTSFN3M0lCQ1BWWQ0KSnB1VWZVaGtJQlhVRkl5bEI4UG9BZXJyMFF0dFNVME5VeDBYL3h1UkZwM2htd0tqcmtkWEI3RnBSbkp1DQpOelJwZzdUdWNGTnRyRDZDeWtSZGxaSDNjVVpMQUFOaTh2YytyMkMydEZzOENEd09Ba09FcE5MTGVKZ2UNCkM1RzFXRDN4VFowZ0xsbmk4dno3Rk56YVg2N1o4eWdQbERVUXVGYVloTEV3KzU3RmppZk5EOG9aVTgzMw0KdHA2dzhEV01DbEFjUmJXVzZwbVJ0b2dMMU83dnFZTEJtYjFPUGc4dHpoV2pieEkweHVrc2x0dFN6a3VNDQpZcEladVFwOG91OVhOaEhDaytTSzZoSGJ1TFVSRS8wQ1FzZjNxcTNnY3lETDhFMk1LZUFCMDAxQVZDK28NCkROK3F1a2dyRVlaeFlSM1NRdDB5SnNUU0l0d25rRGg0cnlIdC9qZ1pLY0tkbkRqWlhJMU41bW5wNlNGRg0KNXBYUjlFcFpNRFpPamRqaWVkY2s5aUpIZWFXRXJuUGFxemovdDU1ajlyK3dmOHRTUVhOaTBYeUFZdzhEDQpkSVFReVh1dmdRSmI2SHpOTG9ObmI3ZUpSRTZ6SXNlbXZBaTRlTjNBQUdiYWh1bXZ1VGpMRDFQelc4VXkNClRUOVFpQWFpVXBWaGdDSzVydVhmQjVNN3pzQ0MyWXhpSEpDTlBHKzRjSlJOTGJzeFluTmRRSHJCcnBodA0KTytzTHBkdnRlWStEL2p5ZWRGbE5KUTJhbG1YVkpMNVVTM3NBbUtFdGt4bDNqakNmd2Y1bVpPcmhVT2p4DQp6WWdoR3pMbTUxeWU2T0pVQnFyV1dUdzMyY1NPNXllL0RrMjkxQWhYMDhBd1drVXRBMG0zQld6K3NwMHYNCjh4QWN4dE1FMGx0R2RHbHErTW9JYXBDdisrUlRORmpYVVM1K3ZIczNaV0JmdUg5S3VBZmQ0d0pKcTdqTQ0KeVo1NUdsWERJUUdHdDVOejhQYVRlL3pjTGhyOHBpRU1Iem1ZbjRJdmhRVjl2dFo1RVh6WDBHOS9LcWJCDQpsTHhTVHlwelZlczhCZVMzTExQRG1Helh4UHRDRmd3aFBxMzBmRTZ3amxPd0JGcEtOb1NrUEk5aGNSWlUNCkF4MDJ0ZkZ3S2tvejFJNnZjWVhvTE9UdDdHWjA2VVlpZHJUSis4eGkrL0N5bFFqbm9Xb3liWE44bnkycg0KZ1RLVjk5RU5tTURVcVNLTUJlZUJmTVF0L2lqbUZBV3BVYTZaSitnUGFoSCtUV0pRUUU2d2VuUDRyZFJvDQpoWTFTWDYxRVhXUHlMaUNPWXU1Y2Jmb3hoN2hkNUJmZk93MzJIN0RldUZtNEtvZ3B4YjcxbG5aL3FWNVgNClJ2Q1RsWElzdGZ5RHo0WnFNeWRmVEVvcWdxbVlhMnJaMFhYZUUveDFRcWhXSERRb2MrRkMwc1lhVlZtdQ0KZkhlK0ExUkN4YjRzbVZERUhjb2FJNmc2K1dqQVFwQmRVWnR0MjJuaGplN3hPSTZCaTdPRVhVVXp2Y05KDQpQY2gyZzF3Vkx1TkdSVXdueWR4ZklKNEZQVWpFTm94NDQxR3hwM1ZlK09leVJrNWVQZ01SQmE5SkU0ekkNCjFRRUZ0eTFPdkFmZkRhQ3JlQzdBWmRxRThCbzBrSXZIS1I0QTNQeWs5bktJcU1ZV3JTa1A3NG1mbzlJYg0KQUJFODdrSi9YcFcwUUFRQndWbWpXUlpsVmNsVmhYamN4ZHQyV0hMbzVMekFVSGR5ajdGdzRMS1BjdWFEDQpzMkp4RThRWW5vM3dVbGdqWVM4bS9pWGo1VXF3WWhxRDdWTncyL0JXbGtZRDJkb09uY0t0aHl0WDJVTUMNCmNWTUhoT1F0QW5kSjJ6VkF1R3lVZ3BJMTNvUmxwcUgxSTdMQXN5ZHRjTi9mSlZvPTNEDQo9M0REVWloDQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQoNCi0tLS0tLXNpbmlrYWVsLT89XzEtMTc4MDY1ODQwMzIzOTAuMDE0NTQ3ODU5MzQwMjQ5MjctLQ0K", - "historyId": "1499152", - "internalDate": "1780658404000" - } -} \ No newline at end of file diff --git a/test/source/mock/google/exported-messages/message-export-19e9cc77867bba39.json b/test/source/mock/google/exported-messages/message-export-19e9cc77867bba39.json new file mode 100644 index 00000000000..ab16266dd93 --- /dev/null +++ b/test/source/mock/google/exported-messages/message-export-19e9cc77867bba39.json @@ -0,0 +1,90 @@ +{ + "acctEmail": "flowcrypt.compatibility@gmail.com", + "full": { + "id": "19e9cc77867bba39", + "threadId": "19e9cc77867bba39", + "labelIds": [ + "Label_15", + "SENT", + "INBOX" + ], + "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAAppqO6JcGThb0Jy1pZWk/N7nHV5syTuOhM1X89X79 GEsJ+GzB/", + "payload": { + "partId": "", + "mimeType": "multipart/mixed", + "filename": "", + "headers": [ + { + "name": "Content-Type", + "value": "multipart/mixed; boundary=\"----sinikael-?=_1-17807467778820.2979209442026295\"" + }, + { + "name": "Openpgp", + "value": "id=E8F0517BA6D7DAB6081C96E4ADAC279C95093207" + }, + { + "name": "From", + "value": "sender@domain.com" + }, + { + "name": "To", + "value": "flowcrypt.compatibility@gmail.com" + }, + { + "name": "Subject", + "value": "flowcrypt-browser #6234 test" + }, + { + "name": "Date", + "value": "Sat, 6 Jun 2026 04:52:58 -0700" + }, + { + "name": "MIME-Version", + "value": "1.0" + } + ], + "body": { + "size": 0 + }, + "parts": [ + { + "partId": "0", + "mimeType": "text/plain", + "filename": "", + "headers": [ + { + "name": "Content-Type", + "value": "text/plain" + }, + { + "name": "Content-Transfer-Encoding", + "value": "quoted-printable" + } + ], + "body": { + "size": 5009, + "data": "LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBGbG93Q3J5cHQgRW1haWwgRW5jcnlwdGlvbiA4LjUuMTMNCkNvbW1lbnQ6IFNlYW1sZXNzbHkgc2VuZCBhbmQgcmVjZWl2ZSBlbmNyeXB0ZWQgZW1haWwNCg0Kd2NGTUEwdGFML3ptTFpVQkFSQUFwcHFPNkpjR1RoYjBKeTFwWldrL043bkhWNXN5VHVPaE0xWDg5WDc5DQpHRXNKK0d6Qi9PZXJJZmoxT0dhMFpRNXJwTDg2azNWYnU3dHBqRGJubDBnM0U0VzFGbHFHamFVSitBZmoNCkt4M2xNL2lXb1B2T3FUSXlRNkhHRU9oNnJDdXozd2hEbXFsVkRyczI3N1R1aXBxRy9LWldjK1dWUG93YQ0KUXpNNTg0eHNFZEkwUjJZTjRWM054T0EyKy9lM2RSWVhwU3c1V2lVTTJta3oyZ1E1MVRKTklYZ1FEYm9LDQpuRlZCeGxvSzB0NjJGZ2dWdTVKQWVhSWFiNWpucXRmY1BKSzVYVG9aLzN1ZlJ0Y3BHTjdRa29DRlRkV0UNCkI5YU9Fa1hKOXcrdzIxYjIrOFM4ZStyMWpQaE1kY3ZpQWRxOUQ3cUVRUGpuNUQ0NHArdDdHNGExT01GOA0KNXZDYU4vMTQxaUtmcExRQjA3cWRQbHBpd2lyVzk5cGpjTU4zdklGSnBVaUpXWThTR1hndFRrRkFjei8zDQo3YXFFQ00wd3N6NzZvQkh5dU16K09COHF2Y21sRHU3cG9FWUlsVzdjYkxCYWc3RWxQdENLYTRkR241SDENCkJOSlJ1dnBGTW82NlJuVmdQYkYzTVN0WXlRM1ZKMzF3bTRDcjBGVjU2Ukl1Q1Rab3YvRFdLb0g3OVpoMQ0KTmNKTVl6Z1BySERtbUFTOEpaanhFd0h1dENKSnF2dEF2R0RXeTdGT29Ma2E5bjVseGI1YzVZdEdyZXhNDQpZUFNzQWpVMW42aDVXMDJLZDZOdzZDU1FNVUlxWmFndTNid3E0ZXU1K1hyZU9OQi9YWU1Ob3NOMS9GSEUNCnkzNE81ZmRSaEg0Y1hSSzJ6THhCRFRGUG1lRlZjbVA2Ynd2Zlo2MjlvSWJCd1V3RHZiMTJZUGFaamNRQg0KRUFEWmtzektldHgrU3Jhd2lzakc2RmRJUG1qcU1xOWRubjRGYzJjREM2UkNZbXJocXI3THBRdktLZ0N4DQpOdlFwemdlODVkeHBNVG4za3lLTVV1THFyYTUxNGE0N2p6eWhzUVh0QUU5R1BWMkhQOGM0TFJkV3VZdnMNCnBCS1AxSnIrVUQxdEN6V0NUY2c4b3V5NjB4ZVFkaTkwZWw5RWtiS3BseVdEUmZ5dHlON1NFdmk0L3hXbg0KUWZSS3N4Sk00azdYMDBEaklpbnpnREFqQ3kveHBLT0pSNWtjSU9qdnNWZUFzUnBISjJlaU5GTS9XL0JrDQpCUHZ1ZnFRZjl1MXlVNDd1anJ6dEpLWFFkOTZjNkxFbzFwZjlwRDdpMUFHVVk1MkE4SkdSRXVjSEdLdWUNCnRGbWJ2NjZBekFtQ21XQjY4Q0lWOUs4UmFNa1FBRjFqcEdJZktPRTkwUmFYOE91N3hudnIzS2VxVlc4bQ0KRjZIV1Baazd5Zit5dkVtOTRPWWIycW1KWTYyUW9relR2b2gvV0RVSjl2eVowRU5HTWtBbnRUU1Vpa0FTDQpTRVlGWWNqd2phbUJEclJBS2UvL3pzQSt0RVZFMDhHVEZhYU5lUm9Ga25wYWZTTXo5L0s3OWRVK1poeDkNCnJHWEdJUXBleXBvU2Q1NXVyK09wUlpUV2lTcExmUFZwR0g3YmJrcEwyeGpGbHZCY3FuZmtaWkZyQ0RqWQ0KOWJIR2lnd1Fuckx4bVJJRGNQTkxlQmgxSXArWFFTUkdtVG14TnF2MTlJbzJSREtSVFdvclZLdk9mNUhqDQpjRWFBOEEwTSsvcEs0a1VOSzQxTHZSc3Y0Z0ZTMzVtUTRuN1RGVVZNUkFJTklKOStndVpzY0FOV2dKWHYNClVSdUl2bXB1Mzh5Y1hyZWhBdmxIWjdlM2NzSEJUQU5MV2kvODVpMlZBUUVQLzBZQ2R6a0M3bUNjN0FhRg0KL0ZxUWlzTERvMVMvWUFSWE5TazlySTltN1BFVFUwdnFBZjJ2WDJLR05QU1NwQmN1MHVyQ0FzM1dVVEMxDQppMjBrdm5iSUJBeVVUc2V5enFhN3B4VTdaRzdIbUg2c1ArUFZveUF4V0lOaVZSL0F4ekxDNk9GcElOWnMNCkJOaCthZ0tuWjd4NE5UM3RvV1pEVVZwY1VCL1UxaHRYSmYxbDlacldNeEloRGlKQXJySXl5NFNEd0VPYQ0KYkxwRnFiMUd1WnlxTk1WeElLUzFHeVNwU1hMV3lwMks1K2dVNnErZ0lObE1sdjRIUHU3RVJ6ZUVOVUZNDQpVYkpRV2F6TWxmZ2pFY2dudTJnUSs3TXZDQ1RhVXFUbjhFa3RnMFlJRm5XT2lzalN3L1g0R3Evb2o2N1cNCllJSTl5dEh4Vi9CQ1V2bUFBbTVWL3RFYWdUSkQrTmxaWFlxTS95aEM1eHpKWWw2cXNtUGtMRTRmRHpHWQ0KTmxpbXVJM3ZzR1VMOTdlbGk4dnRvYU9xZ2EyajR2bGc1TjJMVWljWk1YMFlqWDNOeXd4ZVlwbFBQU1UwDQpTZnNQbFhyR0tzeWJ4bzJia1lpSUlDeXFkSmFja1hqVXl4TTZVdWRhRHIreVNGMWdDQVgrYjQra3JicjINCjI4UHpPRnBiK0VzVWZ4eVJCK09BQU1CbWZTWC9UTkxWNHNRYURlK3JyYVExdDZDVGVYT3FQN0lmZWFyQg0KOFNrUm5PQlVEKzBBOEY5QVlSL2pCT0pkUjNTKzRaWXpUQS9aWlRjU0N0TDZXNDhGWFJtK0hRNS9tRXRCDQpyaXg4MlY2Q1dELzNVRnRqRXJDWUZaZXhIM3RYbkpUK0lQb0ZQOFpxKytCVDE3SXBRUUhMMkVnR0dGTTUNClYzOVFBdlN6d2NGTUE3MjlkbUQybVkzRUFRLzlGOWY1WGkvUTZsdmxiOEcxMmVuSVlMK1FXbGcrVklDVQ0KUDRHTTczaGtpbEVZVUsyT2ZPbFZ1bzBmdVcwbTVqR005QXpkQzlEOXBsQkxNcWVKc255SEwrOU1Bek4zDQpaU21jL3hmTEhsZWErVmVxa3ZiNWk3dEVwWHJLSU1vTVlLSVhEaW5Iclk0WEh3UzU4c2xOZ0M0Qm5GT2INCk45R09Kbng3K3NRQldFanlXZFBDUng2MjV2cXZRU005bG1hYlJieXJuUyt6K2d6dHY4WGxBekdSVGU2Yg0KWW85a1lGb1k2VnFoS1lmVUtiUmN6YXRMTFM4UDBRUWk0Z2JMNjlKS25ZdSs5ZlRvSXI2NEx2MEhwOHNCDQpuVGFvdU45MkdYK1hyZUVMSkZmbzhrckFCenZSTGhkeVp2clM1UE5aMmR0NW50MjlBR3MxWG5HRGFQM0MNClZ0cXA1UWNyWjNyS0ZmeGpWdHdCRnU1ajdGalp3cWwzQmhqR1BlaXowWjl1N3IyU1lZYTY3bUtTR3kzTg0KdTdwdElWcHNtVWtMSTVzU2JwTTBra0V4c2dEVU15SGt2V3FObWh0dHdkUEJYYzJPeTJEellGdXViSFBrDQpxS2dJV2JNdFc5LzZ5eFU4aGZUT084alA3akNnTVhoazI3SUEzTXNqYUVmRzdxaEY0OFJHdkMzMVhYMHQNCjJSRUxyd3JBcHoxR2VNRkR0SHFiTUNnMDFiMGhWREJDRW8zait0bWpIODZUVUErRnRyTVZjR2swTG5JeQ0KMHBoeDgxeWYvenhSSUFRRWFNNnVQemNMeHRlVTJRdmpNMldqa3JWbDY5UWFLU2Frb1NicVMyQlRxYVkwDQpISllGKy85NjVwejZJT2xPeDBXeC9oYmh3emZ0MmxLOER3M05HYzFsSWtXd2sycjhzRmJTeEwwQmFUN1gNCk1WUlVVeTZ3Y1hJMHpRRXAwYkxJdGJmaTgrSytBelVTVnhJUkV6Nm1zU2VLaTJZbzRRWStZcmc3eG1jQQ0Ka0dvV0NTVVBXU2JWWm1ub1ZhREd1UlJ6VlhXUjdxTEFnWWJFdGU1UEUrOXJSVWpCaVF2a2JoWjk3RHdjDQplc1hlZUx2NzBtbkdzaHNhK2NKWkdEalZtdkVVTDhRRE16c3ArdERNTU5DbmNmNlpCMTBMSVMxeHNoRE8NCmdQakd0TFhSNGdGcVVSeDVoc2lYa0J0VnE2UWV4Wlh2Rm1sZWVuWm5Ma1JCWkdwNEFiWGZXSmU2eTBWMA0KTHVwSE43cmU4YW1pMzZYckt6Qkh6OU5hT1lzWmsyU09wZzdKYldQRnBkam9xSkJpQ3orTEhHOUNJWWNhDQpFcjhhZ25iRXpiYnE4MTBVbWU2NVo2VGlJdTJ5enJxRlIrV2hpbEVYNTcrY0taNXVtOFNwMk8wV05UZFkNCmFXU2MyNnNLMVJCNUhVQ05jdGtEZiszajJWdU1qWnd3OVA1SUhPMUhvM2QyOUxtWnFlZCtLWkZuaHNRQQ0KcjRJalZoMzJXdnlrNXpoNVhkNitudFEvdUo3enZjT1M2aWpEUGExWCs3bG9wdlZoQVBObVRxN3FqcHE2DQpzSHlJWTIzZGZBNFRGaEVOTlNaaHhpNEhpU3lMdkd4ZVFudGkrMENzRGttYlhQQ3VQVVZJTWQwVGZod28NCm9aLzk5WVBsOWFjNXo3dVRVejhoaFcweGgvWjk1SnJKNVRZQ21wSk5EWjJrclIwNEtXMk4zZjQ5U1RNVw0KOGl2WmFKdExBK0tFMVNHc3NuRkhSM2hURWo1ZndHc2dITXVtMDZBanlUYmdIYncxL0JlS0ZNYTZWU2R0DQo2TDhVa01sR2FndDhob0hSTW9aaEFWM203SHhZbkl5RmJKalNQcmtkN0pWKzR4S09mQStHUjNVZ2FlU28NCnArVmFNMDFkYWVGcHVrM0lHSEMwazZmMnFXQjQvSHJXWDNZZ1FTZ3UxYUVocXptS1BiTmIzTE8zUTNiTg0KQU1PdTd1c2ZjSllPakdJN0tia2FiaDMxNkhQV2c5ZWVGZ2FGQVdSWS9FV2tramRyQzVaWHEvMDBMd0JiDQp0Snkwa0Z0NmN6TDlHQW1RbW04UjFUaGNmTlpVTXhRY0pRRk9ldGNMWjFtNEVlcDhGTEVaWlM2TURIWnQNCmV3dnJRMnhqWm41d295bDBJRkVUWXd4RHAxUnVxcGhlc1RxY0l6MHJEKzg4OWxJRC9xTHlGbDNDWXNjNw0KRnEyMGN2WTdLT2ZSeUcybW5oOVI0ckNkTGo2aGtkZ091cWJvODRxYnNZYlpCN1BMVlg1aXZFaXlhd1lDDQptSmZ6bzIxdjlZSndNZUxJNUZPTlJQc1haVDJJOHl4SFlGL1ZQY0xSR3NEWGl4M0xFWHIxMlREbWhEeXkNCiswaVJTb041aEQxQTVLNE1tUmZjL21JZmpqUnMyWW92S0g3VFlUSDBOeHdFWlJZOEtlU1lKWUpZS2d4UQ0KVjVKZHBTS2Y0aEs5K2dRcWhWK3hzdHpZN2w3YmcxU1psdDZnZk9QTVY1UW5vU0xjQ21pbWJod0VKcEZGDQpvWjkwMzZUOFl3SU1mc2QzSUcyN2JvL3dkNjFFbW1kZW5IRTJ4a2IvM0IwYSttc0VNM2lRN0VtVkhYRW4NCk1XcUF5OEFOZ05ISm05VjV5U0dGVUkwTGEvQWtrZEVKWmppMm9XRHpxUXRNditya0g0Nm9oMTlwYWJVNQ0KS3dFRzFEUWhLNkRMdlcvS1lxSVhlUEJuNWxaaWVqTDNDWHZRM3JiWXI0OEwxL0VuM2dIcE00OVduQk9GDQpkUzVlN2Fuc2pMTFBQVGZpYTdiN3R6M1h2b3NxNHc2TXVSeElmSFAwaTVmQzRiM2JiaTF4VTlYMk9hMUcNCjdiNWVzVzdQSmJEemdSamdMbUhuYnNhcEo1WStPQVBzd3gwa2JEczBTeDNoUFlYKzFVa1prcFZXQjlLTA0KRE5Vay81ZHYvTDQ1TlllVWJEd2lTSkJ1enY5WCtyQTRZN2FmdWo2bTRIbUE3V0JIVEJMUnBUQm9wSlNVDQpZYlk0Z0RXRFJ3ZnNHVDcyT1k2Q2YySUFnRW94a2FpdXA0WWJrMnpQZGN3Z1RaNFI0U1Z6ZlE5bW02ZHgNCk5lSTZmT1g3Vnh0WUFOTHVpdzR5M2JQOGNCd1dXaE1vNkxmOTR4UWdXSFp5QWV4SG1GV1ZpMGxZSVpuKw0KcWEyRE9DY1doOFVBMHZjU0drZXFuV2cvdWRaUTdGYm9NRVlqWm94RzRMWCs3aldPRGdQOWc1dm5TNm5RDQp3VW0xdEhrTGg0Ti9vRjJmQjRNWUIwSDlhbFJRTFFyblhPbUFRU2dqTWg4d0ZzYWdjWWxRbFlIY2t0YmsNCmVtZ25PYmZKaFltdUJMUC9pMHBaTzF4QUhwMFU2eXJxR2kySzhneitremdONUVBR1dtVm5qVmlwMHZMbA0KTThvaVovdUMNCj0rajBrDQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQo=" + } + } + ] + }, + "sizeEstimate": 5895, + "historyId": "1499379", + "internalDate": "1780746778000" + }, + "attachments": {}, + "raw": { + "id": "19e9cc77867bba39", + "threadId": "19e9cc77867bba39", + "labelIds": [ + "Label_15", + "SENT", + "INBOX" + ], + "snippet": "-----BEGIN PGP MESSAGE----- Version: FlowCrypt Email Encryption 8.5.13 Comment: Seamlessly send and receive encrypted email wcFMA0taL/zmLZUBARAAppqO6JcGThb0Jy1pZWk/N7nHV5syTuOhM1X89X79 GEsJ+GzB/", + "sizeEstimate": 5895, + "raw": "UmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCVNhdCwgNiBKdW4gMjAyNiAwNDo1Mjo1OCAtMDcwMA0KUmVjZWl2ZWQ6IGZyb20gNzE3Mjg0NzMwMjQ0DQoJbmFtZWQgdW5rbm93bg0KCWJ5IGdtYWlsYXBpLmdvb2dsZS5jb20NCgl3aXRoIEhUVFBSRVNUOw0KCVNhdCwgNiBKdW4gMjAyNiAwNDo1Mjo1OCAtMDcwMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7DQogYm91bmRhcnk9Ii0tLS1zaW5pa2FlbC0_PV8xLTE3ODA3NDY3Nzc4ODIwLjI5NzkyMDk0NDIwMjYyOTUiDQpPcGVucGdwOiBpZD1FOEYwNTE3QkE2RDdEQUI2MDgxQzk2RTRBREFDMjc5Qzk1MDkzMjA3DQpGcm9tOiBGbG93Q3J5cHQgQ29tcGF0aWJpbGl0eSA8Zmxvd2NyeXB0LmNvbXBhdGliaWxpdHlAZ21haWwuY29tPg0KVG86IEZsb3dDcnlwdCBDb21wYXRpYmlsaXR5IDxmbG93Y3J5cHQuY29tcGF0aWJpbGl0eUBnbWFpbC5jb20-DQpTdWJqZWN0OiBmbG93Y3J5cHQtYnJvd3NlciAjNjIzNCB0ZXN0DQpEYXRlOiBTYXQsIDYgSnVuIDIwMjYgMDQ6NTI6NTggLTA3MDANCk1lc3NhZ2UtSWQ6IDxDQUtidUxUckhvZVUxMVhYK2ZORThibjQ9VWRHMjM5OFFGOS1OTHAzWWRSa0ZuUTdYLWdAbWFpbC5nbWFpbC5jb20-DQpNSU1FLVZlcnNpb246IDEuMA0KDQotLS0tLS1zaW5pa2FlbC0_PV8xLTE3ODA3NDY3Nzc4ODIwLjI5NzkyMDk0NDIwMjYyOTUNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbg0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJsZQ0KDQotLS0tLUJFR0lOIFBHUCBNRVNTQUdFLS0tLS0NClZlcnNpb246IEZsb3dDcnlwdCBFbWFpbCBFbmNyeXB0aW9uIDguNS4xMw0KQ29tbWVudDogU2VhbWxlc3NseSBzZW5kIGFuZCByZWNlaXZlIGVuY3J5cHRlZCBlbWFpbA0KDQp3Y0ZNQTB0YUwvem1MWlVCQVJBQXBwcU82SmNHVGhiMEp5MXBaV2svTjduSFY1c3lUdU9oTTFYODlYNzkNCkdFc0orR3pCL09lcklmajFPR2EwWlE1cnBMODZrM1ZidTd0cGpEYm5sMGczRTRXMUZscUdqYVVKK0Fmag0KS3gzbE0vaVdvUHZPcVRJeVE2SEdFT2g2ckN1ejN3aERtcWxWRHJzMjc3VHVpcHFHL0taV2MrV1ZQb3dhDQpRek01ODR4c0VkSTBSMllONFYzTnhPQTIrL2UzZFJZWHBTdzVXaVVNMm1rejJnUTUxVEpOSVhnUURib0sNCm5GVkJ4bG9LMHQ2MkZnZ1Z1NUpBZWFJYWI1am5xdGZjUEpLNVhUb1ovM3VmUnRjcEdON1Frb0NGVGRXRQ0KQjlhT0VrWEo5dyt3MjFiMis4UzhlK3IxalBoTWRjdmlBZHE5RDdxRVFQam41RDQ0cCt0N0c0YTFPTUY4DQo1dkNhTi8xNDFpS2ZwTFFCMDdxZFBscGl3aXJXOTlwamNNTjN2SUZKcFVpSldZOFNHWGd0VGtGQWN6LzMNCjdhcUVDTTB3c3o3Nm9CSHl1TXorT0I4cXZjbWxEdTdwb0VZSWxXN2NiTEJhZzdFbFB0Q0thNGRHbjVIMQ0KQk5KUnV2cEZNbzY2Um5WZ1BiRjNNU3RZeVEzVkozMXdtNENyMEZWNTZSSXVDVFpvdi9EV0tvSDc5WmgxDQpOY0pNWXpnUHJIRG1tQVM4SlpqeEV3SHV0Q0pKcXZ0QXZHRFd5N0ZPb0xrYTluNWx4YjVjNVl0R3JleE0NCllQU3NBalUxbjZoNVcwMktkNk53NkNTUU1VSXFaYWd1M2J3cTRldTUrWHJlT05CL1hZTU5vc04xL0ZIRQ0KeTM0TzVmZFJoSDRjWFJLMnpMeEJEVEZQbWVGVmNtUDZid3ZmWjYyOW9JYkJ3VXdEdmIxMllQYVpqY1FCDQpFQURaa3N6S2V0eCtTcmF3aXNqRzZGZElQbWpxTXE5ZG5uNEZjMmNEQzZSQ1ltcmhxcjdMcFF2S0tnQ3gNCk52UXB6Z2U4NWR4cE1UbjNreUtNVXVMcXJhNTE0YTQ3anp5aHNRWHRBRTlHUFYySFA4YzRMUmRXdVl2cw0KcEJLUDFKcitVRDF0Q3pXQ1RjZzhvdXk2MHhlUWRpOTBlbDlFa2JLcGx5V0RSZnl0eU43U0V2aTQveFduDQpRZlJLc3hKTTRrN1gwMERqSWluemdEQWpDeS94cEtPSlI1a2NJT2p2c1ZlQXNScEhKMmVpTkZNL1cvQmsNCkJQdnVmcVFmOXUxeVU0N3Vqcnp0SktYUWQ5NmM2TEVvMXBmOXBEN2kxQUdVWTUyQThKR1JFdWNIR0t1ZQ0KdEZtYnY2NkF6QW1DbVdCNjhDSVY5SzhSYU1rUUFGMWpwR0lmS09FOTBSYVg4T3U3eG52cjNLZXFWVzhtDQpGNkhXUFprN3lmK3l2RW05NE9ZYjJxbUpZNjJRb2t6VHZvaC9XRFVKOXZ5WjBFTkdNa0FudFRTVWlrQVMNClNFWUZZY2p3amFtQkRyUkFLZS8venNBK3RFVkUwOEdURmFhTmVSb0ZrbnBhZlNNejkvSzc5ZFUrWmh4OQ0KckdYR0lRcGV5cG9TZDU1dXIrT3BSWlRXaVNwTGZQVnBHSDdiYmtwTDJ4akZsdkJjcW5ma1paRnJDRGpZDQo5YkhHaWd3UW5yTHhtUklEY1BOTGVCaDFJcCtYUVNSR21UbXhOcXYxOUlvMlJES1JUV29yVkt2T2Y1SGoNCmNFYUE4QTBNKy9wSzRrVU5LNDFMdlJzdjRnRlMzNW1RNG43VEZVVk1SQUlOSUo5K2d1WnNjQU5XZ0pYdg0KVVJ1SXZtcHUzOHljWHJlaEF2bEhaN2UzY3NIQlRBTkxXaS84NWkyVkFRRVAvMFlDZHprQzdtQ2M3QWFGDQovRnFRaXNMRG8xUy9ZQVJYTlNrOXJJOW03UEVUVTB2cUFmMnZYMktHTlBTU3BCY3UwdXJDQXMzV1VUQzENCmkyMGt2bmJJQkF5VVRzZXl6cWE3cHhVN1pHN0htSDZzUCtQVm95QXhXSU5pVlIvQXh6TEM2T0ZwSU5acw0KQk5oK2FnS25aN3g0TlQzdG9XWkRVVnBjVUIvVTFodFhKZjFsOVpyV014SWhEaUpBcnJJeXk0U0R3RU9hDQpiTHBGcWIxR3VaeXFOTVZ4SUtTMUd5U3BTWExXeXAySzUrZ1U2cStnSU5sTWx2NEhQdTdFUnplRU5VRk0NClViSlFXYXpNbGZnakVjZ251MmdRKzdNdkNDVGFVcVRuOEVrdGcwWUlGbldPaXNqU3cvWDRHcS9vajY3Vw0KWUlJOXl0SHhWL0JDVXZtQUFtNVYvdEVhZ1RKRCtObFpYWXFNL3loQzV4ekpZbDZxc21Qa0xFNGZEekdZDQpObGltdUkzdnNHVUw5N2VsaTh2dG9hT3FnYTJqNHZsZzVOMkxVaWNaTVgwWWpYM055d3hlWXBsUFBTVTANClNmc1BsWHJHS3N5YnhvMmJrWWlJSUN5cWRKYWNrWGpVeXhNNlV1ZGFEcit5U0YxZ0NBWCtiNCtrcmJyMg0KMjhQek9GcGIrRXNVZnh5UkIrT0FBTUJtZlNYL1ROTFY0c1FhRGUrcnJhUTF0NkNUZVhPcVA3SWZlYXJCDQo4U2tSbk9CVUQrMEE4RjlBWVIvakJPSmRSM1MrNFpZelRBL1paVGNTQ3RMNlc0OEZYUm0rSFE1L21FdEINCnJpeDgyVjZDV0QvM1VGdGpFckNZRlpleEgzdFhuSlQrSVBvRlA4WnErK0JUMTdJcFFRSEwyRWdHR0ZNNQ0KVjM5UUF2U3p3Y0ZNQTcyOWRtRDJtWTNFQVEvOUY5ZjVYaS9RNmx2bGI4RzEyZW5JWUwrUVdsZytWSUNVDQpQNEdNNzNoa2lsRVlVSzJPZk9sVnVvMGZ1VzBtNWpHTTlBemRDOUQ5cGxCTE1xZUpzbnlITCs5TUF6TjMNClpTbWMveGZMSGxlYStWZXFrdmI1aTd0RXBYcktJTW9NWUtJWERpbkhyWTRYSHdTNThzbE5nQzRCbkZPYg0KTjlHT0pueDcrc1FCV0VqeVdkUENSeDYyNXZxdlFTTTlsbWFiUmJ5cm5TK3orZ3p0djhYbEF6R1JUZTZiDQpZbzlrWUZvWTZWcWhLWWZVS2JSY3phdExMUzhQMFFRaTRnYkw2OUpLbll1KzlmVG9JcjY0THYwSHA4c0INCm5UYW91TjkyR1grWHJlRUxKRmZvOGtyQUJ6dlJMaGR5WnZyUzVQTloyZHQ1bnQyOUFHczFYbkdEYVAzQw0KVnRxcDVRY3JaM3JLRmZ4alZ0d0JGdTVqN0ZqWndxbDNCaGpHUGVpejBaOXU3cjJTWVlhNjdtS1NHeTNODQp1N3B0SVZwc21Va0xJNXNTYnBNMGtrRXhzZ0RVTXlIa3ZXcU5taHR0d2RQQlhjMk95MkR6WUZ1dWJIUGsNCnFLZ0lXYk10VzkvNnl4VThoZlRPTzhqUDdqQ2dNWGhrMjdJQTNNc2phRWZHN3FoRjQ4Ukd2QzMxWFgwdA0KMlJFTHJ3ckFwejFHZU1GRHRIcWJNQ2cwMWIwaFZEQkNFbzNqK3Rtakg4NlRVQStGdHJNVmNHazBMbkl5DQowcGh4ODF5Zi96eFJJQVFFYU02dVB6Y0x4dGVVMlF2ak0yV2prclZsNjlRYUtTYWtvU2JxUzJCVHFhWTANCkhKWUYrLzk2NXB6NklPbE94MFd4L2hiaHd6ZnQybEs4RHczTkdjMWxJa1d3azJyOHNGYlN4TDBCYVQ3WA0KTVZSVVV5NndjWEkwelFFcDBiTEl0YmZpOCtLK0F6VVNWeElSRXo2bXNTZUtpMllvNFFZK1lyZzd4bWNBDQprR29XQ1NVUFdTYlZabW5vVmFER3VSUnpWWFdSN3FMQWdZYkV0ZTVQRSs5clJVakJpUXZrYmhaOTdEd2MNCmVzWGVlTHY3MG1uR3Noc2ErY0paR0RqVm12RVVMOFFETXpzcCt0RE1NTkNuY2Y2WkIxMExJUzF4c2hETw0KZ1BqR3RMWFI0Z0ZxVVJ4NWhzaVhrQnRWcTZRZXhaWHZGbWxlZW5abkxrUkJaR3A0QWJYZldKZTZ5MFYwDQpMdXBITjdyZThhbWkzNlhyS3pCSHo5TmFPWXNaazJTT3BnN0piV1BGcGRqb3FKQmlDeitMSEc5Q0lZY2ENCkVyOGFnbmJFemJicTgxMFVtZTY1WjZUaUl1Mnl6cnFGUitXaGlsRVg1NytjS1o1dW04U3AyTzBXTlRkWQ0KYVdTYzI2c0sxUkI1SFVDTmN0a0RmKzNqMlZ1TWpad3c5UDVJSE8xSG8zZDI5TG1acWVkK0taRm5oc1FBDQpyNElqVmgzMld2eWs1emg1WGQ2K250US91Sjd6dmNPUzZpakRQYTFYKzdsb3B2VmhBUE5tVHE3cWpwcTYNCnNIeUlZMjNkZkE0VEZoRU5OU1poeGk0SGlTeUx2R3hlUW50aSswQ3NEa21iWFBDdVBVVklNZDBUZmh3bw0Kb1ovOTlZUGw5YWM1ejd1VFV6OGhoVzB4aC9aOTVKcko1VFlDbXBKTkRaMmtyUjA0S1cyTjNmNDlTVE1XDQo4aXZaYUp0TEErS0UxU0dzc25GSFIzaFRFajVmd0dzZ0hNdW0wNkFqeVRiZ0hidzEvQmVLRk1hNlZTZHQNCjZMOFVrTWxHYWd0OGhvSFJNb1poQVYzbTdIeFluSXlGYkpqU1Bya2Q3SlYrNHhLT2ZBK0dSM1VnYWVTbw0KcCtWYU0wMWRhZUZwdWszSUdIQzBrNmYycVdCNC9IcldYM1lnUVNndTFhRWhxem1LUGJOYjNMTzNRM2JODQpBTU91N3VzZmNKWU9qR0k3S2JrYWJoMzE2SFBXZzllZUZnYUZBV1JZL0VXa2tqZHJDNVpYcS8wMEx3QmINCnRKeTBrRnQ2Y3pMOUdBbVFtbThSMVRoY2ZOWlVNeFFjSlFGT2V0Y0xaMW00RWVwOEZMRVpaUzZNREhadA0KZXd2clEyeGpabjV3b3lsMElGRVRZd3hEcDFSdXFwaGVzVHFjSXowckQrODg5bElEL3FMeUZsM0NZc2M3DQpGcTIwY3ZZN0tPZlJ5RzJtbmg5UjRyQ2RMajZoa2RnT3VxYm84NHFic1liWkI3UExWWDVpdkVpeWF3WUMNCm1KZnpvMjF2OVlKd01lTEk1Rk9OUlBzWFpUMkk4eXhIWUYvVlBjTFJHc0RYaXgzTEVYcjEyVERtaER5eQ0KKzBpUlNvTjVoRDFBNUs0TW1SZmMvbUlmampSczJZb3ZLSDdUWVRIME54d0VaUlk4S2VTWUpZSllLZ3hRDQpWNUpkcFNLZjRoSzkrZ1FxaFYreHN0elk3bDdiZzFTWmx0NmdmT1BNVjVRbm9TTGNDbWltYmh3RUpwRkYNCm9aOTAzNlQ4WXdJTWZzZDNJRzI3Ym8vd2Q2MUVtbWRlbkhFMnhrYi8zQjBhK21zRU0zaVE3RW1WSFhFbg0KTVdxQXk4QU5nTkhKbTlWNXlTR0ZVSTBMYS9Ba2tkRUpaamkyb1dEenFRdE12K3JrSDQ2b2gxOXBhYlU1DQpLd0VHMURRaEs2REx2Vy9LWXFJWGVQQm41bFppZWpMM0NYdlEzcmJZcjQ4TDEvRW4zZ0hwTTQ5V25CT0YNCmRTNWU3YW5zakxMUFBUZmlhN2I3dHozWHZvc3E0dzZNdVJ4SWZIUDBpNWZDNGIzYmJpMXhVOVgyT2ExRw0KN2I1ZXNXN1BKYkR6Z1JqZ0xtSG5ic2FwSjVZK09BUHN3eDBrYkRzMFN4M2hQWVgrMVVrWmtwVldCOUtMDQpETlVrLzVkdi9MNDVOWWVVYkR3aVNKQnV6djlYK3JBNFk3YWZ1ajZtNEhtQTdXQkhUQkxScFRCb3BKU1UNClliWTRnRFdEUndmc0dUNzJPWTZDZjJJQWdFb3hrYWl1cDRZYmsyelBkY3dnVFo0UjRTVnpmUTltbTZkeA0KTmVJNmZPWDdWeHRZQU5MdWl3NHkzYlA4Y0J3V1doTW82TGY5NHhRZ1dIWnlBZXhIbUZXVmkwbFlJWm4rDQpxYTJET0NjV2g4VUEwdmNTR2tlcW5XZy91ZFpRN0Zib01FWWpab3hHNExYKzdqV09EZ1A5ZzV2blM2blENCndVbTF0SGtMaDROL29GMmZCNE1ZQjBIOWFsUlFMUXJuWE9tQVFTZ2pNaDh3RnNhZ2NZbFFsWUhja3Riaw0KZW1nbk9iZkpoWW11QkxQL2kwcFpPMXhBSHAwVTZ5cnFHaTJLOGd6K2t6Z041RUFHV21WbmpWaXAwdkxsDQpNOG9pWi91Qw0KPTNEK2owaw0KLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQ0KDQotLS0tLS1zaW5pa2FlbC0_PV8xLTE3ODA3NDY3Nzc4ODIwLjI5NzkyMDk0NDIwMjYyOTUtLQ0K", + "historyId": "1499379", + "internalDate": "1780746778000" + } +} \ No newline at end of file diff --git a/test/source/tests/decrypt.ts b/test/source/tests/decrypt.ts index 0f061c9f972..02b627f05ad 100644 --- a/test/source/tests/decrypt.ts +++ b/test/source/tests/decrypt.ts @@ -2263,21 +2263,34 @@ XZ8r4OC6sguP/yozWlkG+7dDxsgKQVBENeG6Lw== test( `decrypt - css sanitizer must not allow UI redress or url() leakage`, testWithBrowser(async (t, browser) => { - const threadId = '19e9782fbc7127c4'; + const threadId = '19e9cc77867bba39'; const { acctEmail } = await BrowserRecipe.setupCommonAcctWithAttester(t, browser, 'compatibility'); const inboxPage = await browser.newExtensionPage(t, `chrome/settings/inbox/inbox.htm?acctEmail=${acctEmail}&threadId=${threadId}`); await inboxPage.waitForSelTestState('ready'); await inboxPage.waitAll('iframe'); const pgpBlock = await inboxPage.getFrame(['pgp_block.htm']); await pgpBlock.waitForContent('@pgp-block-content', 'sanitization test payload'); - expect(await pgpBlock.isElementPresent('[style*="position"]')).to.equal(false); - expect(await pgpBlock.isElementPresent('[style*="z-index"]')).to.equal(false); - const hasUrlCss = await pgpBlock.target.evaluate(() => - [...document.querySelectorAll('*')].some(el => (el.getAttribute('style') || '').includes('url(')) - ); - expect(hasUrlCss).to.equal(false); - expect(await pgpBlock.isElementPresent('[style*="transform"]')).to.equal(false); - expect(await pgpBlock.isElementPresent('[style*="opacity"]')).to.equal(false); + const styles = await pgpBlock.target.evaluate(() => [...document.querySelectorAll('[style]')].map(el => el.getAttribute('style') || '')); + const combined = styles.join(' ').toLowerCase(); + expect(combined.includes('position')).to.equal(false); + expect(combined.includes('z-index')).to.equal(false); + expect(combined.includes('top:')).to.equal(false); + expect(combined.includes('left:')).to.equal(false); + expect(combined.includes('width:')).to.equal(false); + expect(combined.includes('height:')).to.equal(false); + expect(combined.includes('opacity')).to.equal(false); + expect(combined.includes('transform')).to.equal(false); + expect(combined.includes('pointer-events')).to.equal(false); + expect(combined.includes('font-size')).to.equal(false); + expect(combined.includes('line-height')).to.equal(false); + expect(combined.includes('text-indent')).to.equal(false); + expect(combined.includes('filter')).to.equal(false); + expect(combined.includes('clip-path')).to.equal(false); + expect(combined.includes('url(')).to.equal(false); + expect(combined.includes('@import')).to.equal(false); + expect(combined.includes('po/**/sition:fixed')).to.equal(false); + // verify safe styles survive + expect(combined.includes('color:green')).to.equal(true); await inboxPage.close(); }) ); From 927ba0c733ca4eed4e43c5589cd52ab023f189b7 Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 8 Jun 2026 19:00:22 +0800 Subject: [PATCH 10/10] feat: enforce strict css normalization --- extension/js/common/platform/xss.ts | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts index 41317353a8f..fe157efbc75 100644 --- a/extension/js/common/platform/xss.ts +++ b/extension/js/common/platform/xss.ts @@ -277,6 +277,22 @@ export class Xss { } }; + /** + * Decode CSS escape sequences before applying security checks + */ + private static normalizeCssEscapes = (css: string): string => { + return css.replace(/\\(?:\r\n|[\n\r\f])|\\([0-9a-fA-F]{1,6}\s?|.)/g, (_match: string, escaped: string | undefined) => { + if (typeof escaped === 'undefined') { + return ''; + } + if (/^[0-9a-fA-F]/.test(escaped)) { + const codePoint = Number.parseInt(escaped.trim(), 16); + return codePoint > 0 && codePoint <= 0x10ffff ? String.fromCodePoint(codePoint) : ''; + } + return escaped; + }); + }; + /** * Remove @import rules and any url(...) that would cause an out‑of‑band request. * Only data: and cid: URLs are allowed. @@ -285,7 +301,7 @@ export class Xss { return css .replace(/\/\*[\s\S]*?\*\//g, '') .split(';') - .map(part => part.trim()) + .map(part => this.normalizeCssEscapes(part.trim())) .filter(part => { return !/^(z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:/i.test( part