pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

An attacker who controls a PostgreSQL server — or who can create database objects (tables, columns) whose names contain HTML — can inject arbitrary HTML, including an `<iframe>` with a `srcdoc` attribute, into the pgAdmin DOM. The injection occurs when the victim's pgAdmin connects to the malicious server and the server returns an `ErrorResponse` message that quotes back the crafted object name, or when the victim views an `EXPLAIN` plan that references the crafted object [patch_id=6590908]. Because pgAdmin's default Content-Security-Policy allows inline script and an iframe `srcdoc` inherits the embedding origin, the injected JavaScript runs same-origin to the victim's authenticated pgAdmin session and can read every saved server connection credential and issue arbitrary SQL against every server the victim was connected to [patch_id=6590909]. Standard anti-clickjacking controls (X-Frame-Options, CSP frame-ancestors) do not mitigate this because the injection originates from inside pgAdmin's own interface [patch_id=6590909].

The vulnerability spans every user-facing sink that passes PostgreSQL server text through `html-react-parser` without sanitisation: the notifier toasts, `FormFooterMessage` / `FormInput` help and error areas, `FormNote`, `ModalProvider` `AlertContent` and `confirmDelete`, `ToolErrorView`, the Explain visualiser's `NodeText` panel, the SQL editor confirm dialogs, `ConfirmSaveContent`, `PreferencesHelper` modal alerts, and `SelectThemes` helper text [patch_id=6590908]. The fix adds DOMPurify sanitisation at every `HTMLReactParse` call site, introduces a plain-text rendering contract (`SafeMessage` / `SafeHtmlMessage` components and `Notifier.errorText` / `alertText` helpers), and applies backend HTML-escape in `execute_post_connection_sql` via `sanitize_driver_message` [patch_id=6590908].

The fix combines three complementary layers [patch_id=6590908]. First, DOMPurify sanitisation is wrapped around every `html-react-parser` call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. Second, a new plain-text rendering contract — `SafeMessage` / `SafeHtmlMessage` components plus `Notifier.errorText` / `alertText` / `warningText` / `infoText` / `successText` helpers — is introduced; around fifty callers that previously interpolated backend-derived strings are migrated to the plain-text variants. Third, backend HTML-escape is applied at the post-connection-SQL handler (`execute_post_connection_sql`) via a new `sanitize_driver_message` helper, and the Explain plan-info renderer is patched to `_.escape` `Recheck Cond` and `Exact Heap Blocks` at construction, giving defence in depth even before DOMPurify runs [patch_id=6590908].