diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts
index 705f86e9ece..9e5c5c0536c 100644
--- a/extension/js/common/platform/xss.ts
+++ b/extension/js/common/platform/xss.ts
@@ -137,7 +137,7 @@ export class Xss {
         } else if (imgHandling === 'IMG-KEEP' && checkValidURL(src)) {
           // replace remote image with remote_image_container
           const remoteImgEl = `
-        <div class="remote_image_container" data-src="${src}" data-test="remote-image-container">
+        <div class="remote_image_container" data-src="${Xss.escape(src)}" data-test="remote-image-container">
           <span>Authenticity of this remote image cannot be verified.</span>
         </div>`;
           Xss.replaceElementDANGEROUSLY(img, remoteImgEl); // xss-safe-value
@@ -147,7 +147,7 @@ export class Xss {
       // Handle custom containers or CID-patterned src
       if ((node.classList.contains('remote_image_container') || CID_PATTERN.test(node.getAttribute('src') ?? '')) && imgHandling === 'IMG-TO-PLAIN-TEXT') {
         const replacement = node.getAttribute('data-src') ?? node.getAttribute('alt') ?? '';
-        Xss.replaceElementDANGEROUSLY(node, replacement); // xss-safe-value
+        Xss.replaceElementDANGEROUSLY(node, Xss.escape(replacement)); // xss-safe-value
       }
 
       // Handle links (target and rel attributes)
@@ -171,7 +171,7 @@ export class Xss {
     for (const imageContainer of imageContainerList) {
       const imgUrl = imageContainer.dataset.src;
       if (imgUrl) {
-        Xss.sanitizeAppend(imageContainer, `<img src="${imgUrl}"/>`);
+        Xss.sanitizeAppend(imageContainer, `<img src="${Xss.escape(imgUrl)}"/>`);
       }
     }
   };
diff --git a/extension/manifest.json b/extension/manifest.json
index 1dacb7dea2a..6ccc1de815a 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -98,6 +98,6 @@
   ],
   "minimum_chrome_version": "96",
   "content_security_policy": {
-    "extension_pages": "script-src 'self'; frame-ancestors https://mail.google.com 'self'; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';"
+    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; frame-src 'self' https://mail.google.com/ blob:; worker-src 'self'; connect-src 'self' https://*.google.com https://*.googleapis.com https://flowcrypt.com; default-src 'self'; frame-ancestors 'self' https://mail.google.com; base-uri 'self'; form-action 'self' https://accounts.google.com; font-src 'self' data:; manifest-src 'self'; object-src 'none'; media-src 'self' blob: https:; require-trusted-types-for 'script'; trusted-types default DOMPurify; upgrade-insecure-requests; block-all-mixed-content;"
   }
 }