fix: encrypted message wrongly hides plain text

Author: ioanatflowcrypt

extension/js/common/message-renderer.ts

@@ -370,8 +370,10 @@ export class MessageRenderer {
         loaderContext.prependEncryptedAttachment(a);
         return 'replaced'; // native should be hidden, custom should appear instead
       } else if (treatAs === 'encryptedMsg') {
-        this.setMsgBodyAndStartProcessing(loaderContext, treatAs, messageInfo.printMailInfo, messageInfo.from?.email, renderModule =>
-          this.processEncryptedMsgAttachment(a, renderModule, messageInfo.from?.email, messageInfo.isPwdMsgBasedOnMsgSnippet, messageInfo.plainSubject)
+        this.setMsgBodyAndStartProcessing(
+          loaderContext, treatAs, messageInfo.printMailInfo, messageInfo.from?.email,
+          renderModule => this.processEncryptedMsgAttachment(a, renderModule, messageInfo.from?.email, messageInfo.isPwdMsgBasedOnMsgSnippet, messageInfo.plainSubject),
+          'append'
         );
         return 'hidden'; // native attachment should be hidden, the "attachment" goes to the message container
       } else if (treatAs === 'privateKey') {
@@ -802,10 +804,11 @@ export class MessageRenderer {
     type: string, // for diagnostics
     printMailInfo: PrintMailInfo | undefined,
     senderEmail: string | undefined,
-    cb: (renderModule: RenderInterface) => Promise<{ publicKeys?: string[] }>
+    cb: (renderModule: RenderInterface) => Promise<{ publicKeys?: string[] }>,
+    method: 'set' | 'append' = 'set'
   ) => {
     const { frameId, frameXssSafe } = this.factory.embeddedMsg(type); // xss-safe-factory
-    loaderContext.setMsgBody_DANGEROUSLY(frameXssSafe, 'set'); // xss-safe-value
+    loaderContext.setMsgBody_DANGEROUSLY(frameXssSafe, method); // xss-safe-value
     this.relayAndStartProcessing(this.relayManager, this.factory, frameId, printMailInfo, senderEmail, cb);
   };
 

extension/js/content_scripts/webmail/gmail/gmail-loader-context.ts

@@ -44,9 +44,9 @@ export class GmailLoaderContext implements LoaderContextInterface {
     } else if (method === 'append') {
       if (replace) {
         const parent = msgBody.parent();
-        const wrapper = msgBody.wrap(this.wrapMsgBodyEl(''));
-        wrapper.append(newHtmlContent_MUST_BE_XSS_SAFE); // xss-reinsert // xss-safe-value
-        this.ensureHasParentNode(wrapper); // Gmail is using msgBody.parentNode (#2271)
+        const existingHtml = msgBody.html() || ''; // xss-direct - preserving existing Gmail-rendered content
+        msgBody.replaceWith(this.wrapMsgBodyEl(existingHtml + newHtmlContent_MUST_BE_XSS_SAFE)); // xss-safe-value
+        this.ensureHasParentNode(msgBody); // Gmail is using msgBody.parentNode (#2271)
         return parent.find('.message_inner_body'); // need to return new selector - old element was replaced
       } else {
         return msgBody.append(newHtmlContent_MUST_BE_XSS_SAFE); // xss-safe-value

test/source/tests/decrypt.ts

@@ -608,17 +608,17 @@ export const defineDecryptTests = (testVariant: TestVariant, testWithBrowser: Te
       `decrypt - [gpgmail] encrypted utf8`,
       testWithBrowser(async (t, browser) => {
         const { authHdr } = await BrowserRecipe.setupCommonAcctWithAttester(t, browser, 'compatibility');
-        await BrowserRecipe.pgpBlockVerifyDecryptedContent(
-          t,
-          browser,
-          '161b2ac5a73d4097',
-          {
-            content: ['Prozent => %', 'Scharf-S => ß', 'Ue => Ü', 'Ae => Ä'],
-            encryption: 'encrypted',
-            signature: 'could not verify signature: missing pubkey 9BBE40BC1E8CE4A3',
-          },
-          authHdr
-        );
+        const gmailPage = await browser.newPage(t, `${t.context.urls?.mockGmailUrl()}/161b2ac5a73d4097`, undefined, authHdr);
+        await gmailPage.waitAll('iframe');
+        const pgpBlockFrame = await gmailPage.getFrame(['pgp_block.htm']);
+        await BrowserRecipe.pgpBlockCheck(t, pgpBlockFrame, {
+          content: ['Prozent => %', 'Scharf-S => ß', 'Ue => Ü', 'Ae => Ä'],
+          encryption: 'encrypted',
+          signature: 'could not verify signature: missing pubkey 9BBE40BC1E8CE4A3',
+        });
+        await gmailPage.waitForContent('.message_inner_body', '1io | Sales & Marketing');
+        await gmailPage.waitForContent('.message_inner_body', '1io GmbH');
+        await gmailPage.close();
       })
     );