[Desktop] Avoid relying on innerHTML for Brave Rewards & Welcome pages

[mariospr]

Description

For Chromium 87, we needed to push a patch named "Disable Trusted Types mitigation on Brave's Welcome & Rewards pages" that disables the Content Security Policy for Trusted Types in Brave's Welcome and Rewards WebUI pages, since they rely on the ability to assign untrusted text to the innerHTML element to deal with translations and error messages (you can search for dangerouslySetInnerHTML in *.tsx files to find where exactly this is a problem).

This is consistent with what upstream Chromium does for pages that don't support Trusted Types yet (see CL 2234238), but it would be good if Brave's WebUI pages could eventually migrate from this model, which would need some refactor of the current JS code, which heavily relies on innerHTML for translations.

Chromium change:

Steps to Reproduce

1. Build Cr87-based Brave with the patch mentioned in the description reverted
2. Load Brave Rewards main page (brave://rewards)

Actual result:

The page doesn't load and there's an error on the console saying "This document requires 'TrustedHTML' assignment."

Expected result:

The page should work fine, no errors on the console.

Reproduces how often:

Always, assuming the patch mentioned in the description is reverted

Brave version (brave://version info)

Brave 1.15.37 or newer (Chromium: 87.0.4250.0 (Developer Build) (64-bit)), but only with the patch reverted.

QA test steps

see test plan in brave/brave-core#6669

[diracdeltas]

good call, we shouldn't be using innerHTML anyway. (it's mentioned in our security review guidelines)

[diracdeltas]

@mariospr how do i revert this patch for a build? sorry i've not had to do this before.

[mariospr]

@mariospr how do i revert this patch for a build? sorry i've not had to do this before.

Apologies, I think I might have poorly explained the problem in the description 🤔

There is no patch to revert on any current build, nor even on a branch right now... the problem only affected the WIP branch cr87 until we figured out the patch to solve the issue, which has been applied in brave/brave-core@37848a5f. This was not a problem before (neither on the current stable cr85-based version of Brave, nor on the incoming cr86-based one), so the only way you could experience this problem is by building the cr87 branch from sources with the path brave/brave-core@37848a5f reverted on top.

So, when I said that the problem reproduces "always for Brave 1.15.37 or newer (Chromium: 87.0.4250.0), but only with the patch reverted", it was just a way for me to show where the problem was before it got worked around for the incoming cr87-based release, not that the problem is still reproducible in there. But, as said, this is a workaround and the true fix would be to avoid relying on innerHTML, which is what this issue is actually for.

Hope that this clarifies things, but please feel free to ask more questions if not! 🙂

[zenparsing]

For localization of strings that may contain markup (such as links) when displayed, we should use the pattern described here.

[diracdeltas]

@mariospr ah ok, thanks for clarifying.

[GeetaSarvadnya]

Verification passed on

Brave | 1.16.43 Chromium: 86.0.4240.55 (Official Build) nightly (64-bit)
-- | --
Revision | a6d625ef6f7fe8ea0675f1cf759155a05ee1be40-refs/branch-heads/4240@{#953}
OS | Windows 10 OS Version 1903 (Build 18362.1016)

• Verified the test plan from remove all calls to dangerouslySetInnerHTML brave-core#6669
• Encountered Verify wallet text message is missing in BR panel #11907 and Verify wallet dropdown options are missing for unsupported region  #11915

---

Verification completed using

Brave	1.16.57 Chromium: 86.0.4240.75 (Official Build) dev (x86_64)
Revision	c69c33933bfc72a159aceb4aeca939eb0087416c-refs/branch-heads/4240@{#1149}
OS	macOS Version 10.14.6 (Build 18G3020)

Verified test plan from brave/brave-core#6669

• Confirmed links on p3a slide of brave://welcome link to https://brave.com/privacy-preserving-product-analytics-p3a/ and brave://settings/privacy each in a new tab.

• Confirmed wallet restore of "16 word" wallet shows expected message. Confirmed the here link opens https://brave.com/faq/#convert-old-keys in a new tab.

• Confirmed min 25 BAT balance required for wallet verification

• Confirmed BAT value displayed on "Reset" tab

• Confirmed Uphold modal is displayed

Encountered #11908 when attempting to confirm unsupported region message.

---

Verification passed on

Brave	1.16.55 Chromium: 86.0.4240.72 (Official Build) dev (64-bit)
Revision	581582174c512f44f44fd1aea340471f54b2365f-refs/branch-heads/4240@{#1134}
OS	Ubuntu 18.04 LTS

• Verified the test plan from remove all calls to dangerouslySetInnerHTML brave-core#6669

[srirambv]

Removed OS/Android label after discussing with @NejcZdovc