@chat21/chat21-ionic 3.4.23 → 3.4.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/package.json +1 -1
  3. package/src/app/directives/marked.pipe.ts +66 -6
  4. package/src/chat21-core/providers/firebase/firebase-conversation-handler.ts +2 -2
  5. package/src/chat21-core/providers/mqtt/mqtt-conversation-handler.ts +2 -2
package/CHANGELOG.md CHANGED
@@ -8,6 +8,12 @@
8
8
  ### **Copyrigth**:
9
9
  *Tiledesk SRL*
10
10
 
11
+ # 3.4.25 in PROD
12
+ - **changed**: pipe marked to support malicious text input
13
+
14
+ # 3.4.24 in PROD
15
+ - **changed**: fullname in info message replaced with firstname
16
+
11
17
  # 3.4.23 in PROD
12
18
 
13
19
  # 3.4.23-rc3
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@chat21/chat21-ionic",
3
3
  "author": "Tiledesk SRL",
4
- "version": "3.4.23",
4
+ "version": "3.4.25",
5
5
  "license": "MIT License",
6
6
  "homepage": "https://tiledesk.com/",
7
7
  "repository": {
package/src/app/directives/marked.pipe.ts CHANGED
@@ -1,6 +1,7 @@
1
1
  import { Pipe, PipeTransform } from '@angular/core';
2
2
  import { marked } from 'marked';
3
3
 
4
+
4
5
  @Pipe({
5
6
  name: 'marked'
6
7
  })
@@ -8,19 +9,78 @@ import { marked } from 'marked';
8
9
  export class MarkedPipe implements PipeTransform {
9
10
  transform(value: any): any {
10
11
  const renderer = new marked.Renderer();
11
- renderer.link = function(href, title, text) {
12
- const link = marked.Renderer.prototype.link.call(this, href, title, text);
13
- return link.replace('<a', '<a target="_blank" ');
12
+ renderer.link = function (href, title, text) {
13
+ // Normalizza l'href per evitare falsi negativi
14
+ const normalized = (href || '').trim().toLowerCase();
15
+ // Pattern pericolosi da cercare nell'intero URL (non solo all'inizio)
16
+ const dangerousPatterns = [
17
+ /javascript:/i, // javascript: protocol
18
+ /data:/i, // data: protocol
19
+ /vbscript:/i, // vbscript: protocol
20
+ /on\w+\s*=/i, // event handlers (onclick, onload, etc.)
21
+ /alert\s*\(/i, // alert() function
22
+ /eval\s*\(/i, // eval() function
23
+ /document\./i, // document object access
24
+ /window\./i, // window object access
25
+ /\.appendChild\s*\(/i, // DOM manipulation
26
+ /\.createElement\s*\(/i, // DOM creation
27
+ /<script/i, // script tags
28
+ /<\/script>/i, // closing script tags
29
+ /function\s*\(/i, // function definitions
30
+ /\(function/i, // IIFE patterns
31
+ /setTimeout\s*\(/i, // setTimeout
32
+ /setInterval\s*\(/i, // setInterval
33
+ /location\./i, // location object manipulation
34
+ /history\./i, // history object manipulation
35
+ /localStorage\./i, // localStorage access
36
+ /sessionStorage\./i, // sessionStorage access
37
+ /cookie/i, // cookie manipulation
38
+ /fetch\s*\(/i, // fetch API
39
+ /XMLHttpRequest/i, // XHR
40
+ /FormData/i, // FormData
41
+ /Blob\s*\(/i, // Blob constructor
42
+ /FileReader/i, // FileReader
43
+ /crypto\./i, // crypto object
44
+ /btoa\s*\(/i, // base64 encoding
45
+ /atob\s*\(/i, // base64 decoding
46
+ /decodeURI/i, // URI decoding
47
+ /encodeURI/i, // URI encoding
48
+ /String\.fromCharCode/i, // character code conversion
49
+ /unescape\s*\(/i, // unescape function
50
+ /escape\s*\(/i // escape function
51
+ ];
52
+
53
+ // Controlla se l'URL contiene pattern pericolosi
54
+ const isDangerous = dangerousPatterns.some(p => p.test(normalized));
55
+ if (isDangerous) {
56
+ // Se l’URL è pericoloso, restituisci solo il testo
57
+ return text || href || '';
58
+ }
59
+
60
+ // tokens = this.cleanInput(href);
61
+
62
+ if (!href) return text;
63
+
64
+ return `<a href="${href}" target="_blank" rel="noopener noreferrer">${text}</a>`;
14
65
  };
66
+
15
67
  marked.setOptions({
16
- renderer: renderer
68
+ renderer,
69
+ gfm: true,
70
+ breaks: true
17
71
  });
72
+
18
73
  if (value && value.length > 0) {
19
- const text = marked(value);
20
- return text;
74
+ try {
75
+ return marked.parse(value);
76
+ } catch (err) {
77
+ console.error('Errore nel parsing markdown:', err);
78
+ return value;
79
+ }
21
80
  }
22
81
  return value;
23
82
  }
24
83
 
25
84
 
85
+
26
86
  }
package/src/chat21-core/providers/firebase/firebase-conversation-handler.ts CHANGED
@@ -386,9 +386,9 @@ export class FirebaseConversationHandler extends ConversationHandlerService {
386
386
  complement = INFO_SUPPORT_USER_ADDED_COMPLEMENT;
387
387
  } else {
388
388
 
389
- if (message.attributes.messagelabel.parameters.fullname) {
389
+ if (message.attributes.messagelabel.parameters.firstname) {
390
390
  // other user has been added to the group (and he has a fullname)
391
- subject = message.attributes.messagelabel.parameters.fullname;
391
+ subject = message.attributes.messagelabel.parameters.firstname;
392
392
  verb = INFO_SUPPORT_USER_ADDED_VERB;
393
393
  complement = INFO_SUPPORT_USER_ADDED_COMPLEMENT;
394
394
  } else {
package/src/chat21-core/providers/mqtt/mqtt-conversation-handler.ts CHANGED
@@ -364,9 +364,9 @@ export class MQTTConversationHandler extends ConversationHandlerService {
364
364
  verb = INFO_SUPPORT_USER_ADDED_YOU_VERB;
365
365
  complement = INFO_SUPPORT_USER_ADDED_COMPLEMENT;
366
366
  } else {
367
- if (message.attributes.messagelabel.parameters.fullname) {
367
+ if (message.attributes.messagelabel.parameters.firstname) {
368
368
  // other user has been added to the group (and he has a fullname)
369
- subject = message.attributes.messagelabel.parameters.fullname;
369
+ subject = message.attributes.messagelabel.parameters.firstname;
370
370
  verb = INFO_SUPPORT_USER_ADDED_VERB;
371
371
  complement = INFO_SUPPORT_USER_ADDED_COMPLEMENT;
372
372
  } else {