@microsoft/omnichannel-chat-widget 1.8.1-main.65a1ab5 → 1.8.1-main.6ec59e7

package/lib/cjs/common/Constants.js

@@ -19,6 +19,7 @@ _defineProperty(Constants, "magicCodeBroadcastChannel", "MagicCodeChannel");
 _defineProperty(Constants, "magicCodeResponseBroadcastChannel", "MagicCodeResponseChannel");
 _defineProperty(Constants, "systemMessageTag", "system");
 _defineProperty(Constants, "userMessageTag", "user");
+_defineProperty(Constants, "channelMessageTag", "channel");
 _defineProperty(Constants, "historyMessageTag", "history");
 _defineProperty(Constants, "agentEndConversationMessageTag", "agentendconversation");
 _defineProperty(Constants, "supervisorForceCloseMessageTag", "supervisorforceclosedconversation");

package/lib/cjs/common/telemetry/TelemetryConstants.js

@@ -256,6 +256,7 @@ exports.TelemetryEvent = TelemetryEvent;
   TelemetryEvent["UXNotificationPaneCompleted"] = "UXNotificationPaneCompleted";
   TelemetryEvent["UXOutOfOfficeHoursPaneStart"] = "UXOutOfOfficeHoursPaneStart";
   TelemetryEvent["UXOutOfOfficeHoursPaneCompleted"] = "UXOutOfOfficeHoursPaneCompleted";
+  TelemetryEvent["XSSTextDetected"] = "XSSTextDetected";
   TelemetryEvent["UXPostChatLoadingPaneStart"] = "UXPostChatLoadingPaneStart";
   TelemetryEvent["UXPostChatLoadingPaneCompleted"] = "UXPostChatLoadingPaneCompleted";
   TelemetryEvent["UXPrechatPaneStart"] = "UXPrechatPaneStart";

package/lib/cjs/common/telemetry/TelemetryManager.js

@@ -64,8 +64,8 @@ const RegisterLoggers = () => {
       if (((_TelemetryManager$Int22 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int22 === void 0 ? void 0 : (_TelemetryManager$Int23 = _TelemetryManager$Int22.appInsightsConfig) === null || _TelemetryManager$Int23 === void 0 ? void 0 : _TelemetryManager$Int23.appInsightsDisabled) === false) {
         var _TelemetryManager$Int24;
         if ((_TelemetryManager$Int24 = TelemetryManager.InternalTelemetryData) !== null && _TelemetryManager$Int24 !== void 0 && _TelemetryManager$Int24.appInsightsConfig.appInsightsKey) {
-          var _TelemetryManager$Int25, _TelemetryManager$Int26, _TelemetryManager$Int27;
-          loggers.push((0, _appInsightsLogger.appInsightsLogger)((_TelemetryManager$Int25 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int25 === void 0 ? void 0 : _TelemetryManager$Int25.appInsightsConfig.appInsightsKey, ((_TelemetryManager$Int26 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int26 === void 0 ? void 0 : (_TelemetryManager$Int27 = _TelemetryManager$Int26.ariaConfig) === null || _TelemetryManager$Int27 === void 0 ? void 0 : _TelemetryManager$Int27.disableCookieUsage) ?? _defaultAriaConfig.defaultAriaConfig.disableCookieUsage));
+          var _TelemetryManager$Int25;
+          loggers.push((0, _appInsightsLogger.appInsightsLogger)((_TelemetryManager$Int25 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int25 === void 0 ? void 0 : _TelemetryManager$Int25.appInsightsConfig.appInsightsKey));
         }
       }
     }

package/lib/cjs/common/telemetry/loggers/appInsightsLogger.js

@@ -25,14 +25,14 @@ var AllowedKeys;
   AllowedKeys["ElapsedTimeInMilliseconds"] = "DurationInMilliseconds";
 })(AllowedKeys || (AllowedKeys = {}));
 let initializationPromise = null;
-const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
+const appInsightsLogger = appInsightsKey => {
   const isValidKey = key => {
     const INSTRUMENTATION_KEY_PATTERN = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}";
     const INSTRUMENTATION_KEY_REGEX = new RegExp(`^${INSTRUMENTATION_KEY_PATTERN}$`);
     const CONNECTION_STRING_REGEX = new RegExp(`^InstrumentationKey=${INSTRUMENTATION_KEY_PATTERN};IngestionEndpoint=https://[a-zA-Z0-9\\-\\.]+\\.applicationinsights\\.azure\\.com/.*`);
     return INSTRUMENTATION_KEY_REGEX.test(key) || CONNECTION_STRING_REGEX.test(key);
   };
-  const initializeAppInsights = async (appInsightsKey, disableCookiesUsage) => {
+  const initializeAppInsights = async appInsightsKey => {
     if (!window.appInsights && appInsightsKey) {
       if (!isValidKey(appInsightsKey)) {
         _TelemetryHelper.TelemetryHelper.logActionEvent(_TelemetryConstants.LogLevel.ERROR, {
@@ -54,8 +54,7 @@ const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
             connectionString: appInsightsKey
           } : {
             instrumentationKey: appInsightsKey
-          }),
-          disableCookiesUsage: disableCookiesUsage
+          })
         };
 
         // Initialize Application Insights instance
@@ -82,7 +81,7 @@ const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
   };
   const logger = async () => {
     if (!initializationPromise) {
-      initializationPromise = initializeAppInsights(appInsightsKey, disableCookiesUsage);
+      initializationPromise = initializeAppInsights(appInsightsKey);
     }
     await initializationPromise;
     return window.appInsights;

package/lib/cjs/common/utils/xssUtils.js

@@ -0,0 +1,79 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.detectAndCleanXSS = void 0;
+var _dompurify = _interopRequireDefault(require("dompurify"));
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+/**
+ * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * 
+ * This function performs comprehensive XSS detection using pattern matching for common attack vectors
+ * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
+ * against various XSS techniques including script injection, event handler injection, style-based
+ * attacks, and encoded payloads.
+ * 
+ * Security patterns detected:
+ * - JavaScript protocol URLs (javascript:)
+ * - HTML event handlers (onmouseover, onclick, etc.)
+ * - Script tags (<script>)
+ * - CSS expression() functions
+ * - CSS url() functions
+ * - Position-based CSS attacks (position: fixed/absolute)
+ * - VBScript protocol URLs
+ * - Data URLs with HTML content
+ * - Fragment identifiers with escaped quotes
+ * - HTML entity-encoded angle brackets
+ * 
+ * @param text - The input text to be analyzed and sanitized
+ * @returns An object containing:
+ *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
+ *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ */
+const detectAndCleanXSS = text => {
+  // Comprehensive array of regular expressions to detect common XSS attack patterns
+  const xssPatterns = [/javascript\s*:/gi,
+  // JavaScript protocol URLs (with optional spaces)
+  /vbscript\s*:/gi,
+  // VBScript protocol URLs (with optional spaces)
+  /on\w+\s*=/gi,
+  // HTML event handlers (onmouseover, onclick, onload, etc.)
+  /<\s*script/gi,
+  // Script tag opening (with optional spaces)
+  /expression\s*\(/gi,
+  // CSS expression() function (IE-specific)
+  /url\s*\(/gi,
+  // CSS url() function
+  /style\s*=.*position\s*:\s*fixed/gi,
+  // CSS position fixed attacks
+  /style\s*=.*position\s*:\s*absolute/gi,
+  // CSS position absolute attacks
+  /data\s*:\s*text\s*\/\s*html/gi,
+  // Data URLs containing HTML
+  /#.*\\"/gi,
+  // Fragment identifiers with escaped quotes
+  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
+  ];
+
+  // Check if any XSS patterns are detected in the input text
+  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
+
+  // Clean the text using DOMPurify with strict config
+  const cleanText = _dompurify.default.sanitize(text, {
+    ALLOWED_TAGS: [],
+    // No HTML tags allowed in title
+    ALLOWED_ATTR: [],
+    KEEP_CONTENT: true,
+    // Keep text content
+    ALLOW_DATA_ATTR: false,
+    ALLOW_UNKNOWN_PROTOCOLS: false,
+    SANITIZE_DOM: true,
+    FORCE_BODY: false
+  });
+  return {
+    cleanText,
+    isXSSDetected
+  };
+};
+exports.detectAndCleanXSS = detectAndCleanXSS;

package/lib/cjs/components/livechatwidget/common/startChat.js

@@ -315,13 +315,7 @@ const canConnectToExistingChat = async (props, facadeChatSDK, state, dispatch, s
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const setCustomContextParams = async (state, props) => {
-  var _props$chatConfig, _props$chatConfig$Liv, _state$domainStates8, _persistedState$domai8;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const isAuthenticatedChat = props !== null && props !== void 0 && (_props$chatConfig = props.chatConfig) !== null && _props$chatConfig !== void 0 && (_props$chatConfig$Liv = _props$chatConfig.LiveChatConfigAuthSettings) !== null && _props$chatConfig$Liv !== void 0 && _props$chatConfig$Liv.msdyn_javascriptclientfunction ? true : false;
-  //Should not set custom context for auth chat
-  if (isAuthenticatedChat) {
-    return;
-  }
+  var _state$domainStates8, _persistedState$domai8;
   if (state !== null && state !== void 0 && (_state$domainStates8 = state.domainStates) !== null && _state$domainStates8 !== void 0 && _state$domainStates8.customContext) {
     var _state$domainStates9;
     optionalParams = Object.assign({}, optionalParams, {

package/lib/cjs/components/ooohpanestateful/OOOHPaneStateful.js

@@ -7,15 +7,16 @@ exports.default = exports.OutOfOfficeHoursPaneStateful = void 0;
 var _TelemetryConstants = require("../../common/telemetry/TelemetryConstants");
 var _react = _interopRequireWildcard(require("react"));
 var _utils = require("../../common/utils");
-var _dompurify = _interopRequireDefault(require("dompurify"));
 var _omnichannelChatComponents = require("@microsoft/omnichannel-chat-components");
 var _TelemetryHelper = require("../../common/telemetry/TelemetryHelper");
 var _defaultgeneralOOOHPaneStyleProps = require("./common/defaultStyleProps/defaultgeneralOOOHPaneStyleProps");
+var _xssUtils = require("../../common/utils/xssUtils");
 var _useChatContextStore = _interopRequireDefault(require("../../hooks/useChatContextStore"));
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 let uiTimer;
+const OOOHPaneTitleText = "Thanks for contacting us. You have reached us outside of our operating hours. An agent will respond when we open.";
 const OutOfOfficeHoursPaneStateful = props => {
   var _props$styleProps;
   (0, _react.useEffect)(() => {
@@ -54,8 +55,28 @@ const OutOfOfficeHoursPaneStateful = props => {
       ElapsedTimeInMilliseconds: uiTimer.milliSecondsElapsed
     });
   }, []);
+
+  // Enhanced titleText sanitization
   if (controlProps !== null && controlProps !== void 0 && controlProps.titleText) {
-    controlProps.titleText = _dompurify.default.sanitize(controlProps.titleText);
+    const {
+      cleanText,
+      isXSSDetected
+    } = (0, _xssUtils.detectAndCleanXSS)(controlProps.titleText);
+    if (!isXSSDetected) {
+      // replace with the sanitized text
+      controlProps.titleText = cleanText;
+    } else {
+      _TelemetryHelper.TelemetryHelper.logLoadingEventToAllTelemetry(_TelemetryConstants.LogLevel.WARN, {
+        Event: _TelemetryConstants.TelemetryEvent.XSSTextDetected,
+        Description: "Potential XSS attempt detected in titleText",
+        CustomProperties: {
+          originalText: controlProps.titleText.substring(0, 100),
+          // Log first 100 chars for analysis
+          cleanedText: cleanText.substring(0, 100)
+        }
+      });
+      controlProps.titleText = OOOHPaneTitleText;
+    }
   }
   return /*#__PURE__*/_react.default.createElement(_omnichannelChatComponents.OutOfOfficeHoursPane, {
     componentOverrides: props.componentOverrides,

package/lib/cjs/firstresponselatency/util.js

@@ -73,11 +73,13 @@ const polyfillMessagePayloadForEvent = (activity, payload, conversationId) => {
 };
 exports.polyfillMessagePayloadForEvent = polyfillMessagePayloadForEvent;
 const getScenarioType = activity => {
-  var _activity$from3, _activity$channelData4, _activity$channelData5;
-  if ((activity === null || activity === void 0 ? void 0 : (_activity$from3 = activity.from) === null || _activity$from3 === void 0 ? void 0 : _activity$from3.role) === _Constants2.Constants.userMessageTag) {
+  var _activity$from3, _activity$channelData4;
+  const role = activity === null || activity === void 0 ? void 0 : (_activity$from3 = activity.from) === null || _activity$from3 === void 0 ? void 0 : _activity$from3.role;
+  const tags = activity === null || activity === void 0 ? void 0 : (_activity$channelData4 = activity.channelData) === null || _activity$channelData4 === void 0 ? void 0 : _activity$channelData4.tags;
+  if (role === _Constants2.Constants.userMessageTag) {
     return _Constants.ScenarioType.UserSendMessageStrategy;
   }
-  if (activity !== null && activity !== void 0 && (_activity$channelData4 = activity.channelData) !== null && _activity$channelData4 !== void 0 && (_activity$channelData5 = _activity$channelData4.tags) !== null && _activity$channelData5 !== void 0 && _activity$channelData5.includes(_Constants2.Constants.systemMessageTag)) {
+  if (tags && tags.includes(_Constants2.Constants.systemMessageTag) || role === _Constants2.Constants.channelMessageTag) {
     return _Constants.ScenarioType.SystemMessageStrategy;
   }
   return _Constants.ScenarioType.ReceivedMessageStrategy;

package/lib/esm/common/Constants.js

@@ -12,6 +12,7 @@ _defineProperty(Constants, "magicCodeBroadcastChannel", "MagicCodeChannel");
 _defineProperty(Constants, "magicCodeResponseBroadcastChannel", "MagicCodeResponseChannel");
 _defineProperty(Constants, "systemMessageTag", "system");
 _defineProperty(Constants, "userMessageTag", "user");
+_defineProperty(Constants, "channelMessageTag", "channel");
 _defineProperty(Constants, "historyMessageTag", "history");
 _defineProperty(Constants, "agentEndConversationMessageTag", "agentendconversation");
 _defineProperty(Constants, "supervisorForceCloseMessageTag", "supervisorforceclosedconversation");

package/lib/esm/common/telemetry/TelemetryConstants.js

@@ -250,6 +250,7 @@ export let TelemetryEvent;
   TelemetryEvent["UXNotificationPaneCompleted"] = "UXNotificationPaneCompleted";
   TelemetryEvent["UXOutOfOfficeHoursPaneStart"] = "UXOutOfOfficeHoursPaneStart";
   TelemetryEvent["UXOutOfOfficeHoursPaneCompleted"] = "UXOutOfOfficeHoursPaneCompleted";
+  TelemetryEvent["XSSTextDetected"] = "XSSTextDetected";
   TelemetryEvent["UXPostChatLoadingPaneStart"] = "UXPostChatLoadingPaneStart";
   TelemetryEvent["UXPostChatLoadingPaneCompleted"] = "UXPostChatLoadingPaneCompleted";
   TelemetryEvent["UXPrechatPaneStart"] = "UXPrechatPaneStart";

package/lib/esm/common/telemetry/TelemetryManager.js

@@ -55,8 +55,8 @@ export const RegisterLoggers = () => {
       if (((_TelemetryManager$Int22 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int22 === void 0 ? void 0 : (_TelemetryManager$Int23 = _TelemetryManager$Int22.appInsightsConfig) === null || _TelemetryManager$Int23 === void 0 ? void 0 : _TelemetryManager$Int23.appInsightsDisabled) === false) {
         var _TelemetryManager$Int24;
         if ((_TelemetryManager$Int24 = TelemetryManager.InternalTelemetryData) !== null && _TelemetryManager$Int24 !== void 0 && _TelemetryManager$Int24.appInsightsConfig.appInsightsKey) {
-          var _TelemetryManager$Int25, _TelemetryManager$Int26, _TelemetryManager$Int27;
-          loggers.push(appInsightsLogger((_TelemetryManager$Int25 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int25 === void 0 ? void 0 : _TelemetryManager$Int25.appInsightsConfig.appInsightsKey, ((_TelemetryManager$Int26 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int26 === void 0 ? void 0 : (_TelemetryManager$Int27 = _TelemetryManager$Int26.ariaConfig) === null || _TelemetryManager$Int27 === void 0 ? void 0 : _TelemetryManager$Int27.disableCookieUsage) ?? defaultAriaConfig.disableCookieUsage));
+          var _TelemetryManager$Int25;
+          loggers.push(appInsightsLogger((_TelemetryManager$Int25 = TelemetryManager.InternalTelemetryData) === null || _TelemetryManager$Int25 === void 0 ? void 0 : _TelemetryManager$Int25.appInsightsConfig.appInsightsKey));
         }
       }
     }

package/lib/esm/common/telemetry/loggers/appInsightsLogger.js

@@ -16,14 +16,14 @@ var AllowedKeys;
   AllowedKeys["ElapsedTimeInMilliseconds"] = "DurationInMilliseconds";
 })(AllowedKeys || (AllowedKeys = {}));
 let initializationPromise = null;
-export const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
+export const appInsightsLogger = appInsightsKey => {
   const isValidKey = key => {
     const INSTRUMENTATION_KEY_PATTERN = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}";
     const INSTRUMENTATION_KEY_REGEX = new RegExp(`^${INSTRUMENTATION_KEY_PATTERN}$`);
     const CONNECTION_STRING_REGEX = new RegExp(`^InstrumentationKey=${INSTRUMENTATION_KEY_PATTERN};IngestionEndpoint=https://[a-zA-Z0-9\\-\\.]+\\.applicationinsights\\.azure\\.com/.*`);
     return INSTRUMENTATION_KEY_REGEX.test(key) || CONNECTION_STRING_REGEX.test(key);
   };
-  const initializeAppInsights = async (appInsightsKey, disableCookiesUsage) => {
+  const initializeAppInsights = async appInsightsKey => {
     if (!window.appInsights && appInsightsKey) {
       if (!isValidKey(appInsightsKey)) {
         TelemetryHelper.logActionEvent(LogLevel.ERROR, {
@@ -45,8 +45,7 @@ export const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
             connectionString: appInsightsKey
           } : {
             instrumentationKey: appInsightsKey
-          }),
-          disableCookiesUsage: disableCookiesUsage
+          })
         };
 
         // Initialize Application Insights instance
@@ -73,7 +72,7 @@ export const appInsightsLogger = (appInsightsKey, disableCookiesUsage) => {
   };
   const logger = async () => {
     if (!initializationPromise) {
-      initializationPromise = initializeAppInsights(appInsightsKey, disableCookiesUsage);
+      initializationPromise = initializeAppInsights(appInsightsKey);
     }
     await initializationPromise;
     return window.appInsights;

package/lib/esm/common/utils/xssUtils.js

@@ -0,0 +1,72 @@
+import DOMPurify from "dompurify";
+
+/**
+ * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * 
+ * This function performs comprehensive XSS detection using pattern matching for common attack vectors
+ * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
+ * against various XSS techniques including script injection, event handler injection, style-based
+ * attacks, and encoded payloads.
+ * 
+ * Security patterns detected:
+ * - JavaScript protocol URLs (javascript:)
+ * - HTML event handlers (onmouseover, onclick, etc.)
+ * - Script tags (<script>)
+ * - CSS expression() functions
+ * - CSS url() functions
+ * - Position-based CSS attacks (position: fixed/absolute)
+ * - VBScript protocol URLs
+ * - Data URLs with HTML content
+ * - Fragment identifiers with escaped quotes
+ * - HTML entity-encoded angle brackets
+ * 
+ * @param text - The input text to be analyzed and sanitized
+ * @returns An object containing:
+ *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
+ *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ */
+export const detectAndCleanXSS = text => {
+  // Comprehensive array of regular expressions to detect common XSS attack patterns
+  const xssPatterns = [/javascript\s*:/gi,
+  // JavaScript protocol URLs (with optional spaces)
+  /vbscript\s*:/gi,
+  // VBScript protocol URLs (with optional spaces)
+  /on\w+\s*=/gi,
+  // HTML event handlers (onmouseover, onclick, onload, etc.)
+  /<\s*script/gi,
+  // Script tag opening (with optional spaces)
+  /expression\s*\(/gi,
+  // CSS expression() function (IE-specific)
+  /url\s*\(/gi,
+  // CSS url() function
+  /style\s*=.*position\s*:\s*fixed/gi,
+  // CSS position fixed attacks
+  /style\s*=.*position\s*:\s*absolute/gi,
+  // CSS position absolute attacks
+  /data\s*:\s*text\s*\/\s*html/gi,
+  // Data URLs containing HTML
+  /#.*\\"/gi,
+  // Fragment identifiers with escaped quotes
+  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
+  ];
+
+  // Check if any XSS patterns are detected in the input text
+  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
+
+  // Clean the text using DOMPurify with strict config
+  const cleanText = DOMPurify.sanitize(text, {
+    ALLOWED_TAGS: [],
+    // No HTML tags allowed in title
+    ALLOWED_ATTR: [],
+    KEEP_CONTENT: true,
+    // Keep text content
+    ALLOW_DATA_ATTR: false,
+    ALLOW_UNKNOWN_PROTOCOLS: false,
+    SANITIZE_DOM: true,
+    FORCE_BODY: false
+  });
+  return {
+    cleanText,
+    isXSSDetected
+  };
+};

package/lib/esm/components/livechatwidget/common/startChat.js

@@ -307,13 +307,7 @@ const canConnectToExistingChat = async (props, facadeChatSDK, state, dispatch, s
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const setCustomContextParams = async (state, props) => {
-  var _props$chatConfig, _props$chatConfig$Liv, _state$domainStates8, _persistedState$domai8;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const isAuthenticatedChat = props !== null && props !== void 0 && (_props$chatConfig = props.chatConfig) !== null && _props$chatConfig !== void 0 && (_props$chatConfig$Liv = _props$chatConfig.LiveChatConfigAuthSettings) !== null && _props$chatConfig$Liv !== void 0 && _props$chatConfig$Liv.msdyn_javascriptclientfunction ? true : false;
-  //Should not set custom context for auth chat
-  if (isAuthenticatedChat) {
-    return;
-  }
+  var _state$domainStates8, _persistedState$domai8;
   if (state !== null && state !== void 0 && (_state$domainStates8 = state.domainStates) !== null && _state$domainStates8 !== void 0 && _state$domainStates8.customContext) {
     var _state$domainStates9;
     optionalParams = Object.assign({}, optionalParams, {

package/lib/esm/components/ooohpanestateful/OOOHPaneStateful.js

@@ -1,12 +1,13 @@
 import { LogLevel, TelemetryEvent } from "../../common/telemetry/TelemetryConstants";
 import React, { useEffect } from "react";
 import { createTimer, findAllFocusableElement } from "../../common/utils";
-import DOMPurify from "dompurify";
 import { OutOfOfficeHoursPane } from "@microsoft/omnichannel-chat-components";
 import { TelemetryHelper } from "../../common/telemetry/TelemetryHelper";
 import { defaultGeneralStyleProps } from "./common/defaultStyleProps/defaultgeneralOOOHPaneStyleProps";
+import { detectAndCleanXSS } from "../../common/utils/xssUtils";
 import useChatContextStore from "../../hooks/useChatContextStore";
 let uiTimer;
+const OOOHPaneTitleText = "Thanks for contacting us. You have reached us outside of our operating hours. An agent will respond when we open.";
 export const OutOfOfficeHoursPaneStateful = props => {
   var _props$styleProps;
   useEffect(() => {
@@ -45,8 +46,28 @@ export const OutOfOfficeHoursPaneStateful = props => {
       ElapsedTimeInMilliseconds: uiTimer.milliSecondsElapsed
     });
   }, []);
+
+  // Enhanced titleText sanitization
   if (controlProps !== null && controlProps !== void 0 && controlProps.titleText) {
-    controlProps.titleText = DOMPurify.sanitize(controlProps.titleText);
+    const {
+      cleanText,
+      isXSSDetected
+    } = detectAndCleanXSS(controlProps.titleText);
+    if (!isXSSDetected) {
+      // replace with the sanitized text
+      controlProps.titleText = cleanText;
+    } else {
+      TelemetryHelper.logLoadingEventToAllTelemetry(LogLevel.WARN, {
+        Event: TelemetryEvent.XSSTextDetected,
+        Description: "Potential XSS attempt detected in titleText",
+        CustomProperties: {
+          originalText: controlProps.titleText.substring(0, 100),
+          // Log first 100 chars for analysis
+          cleanedText: cleanText.substring(0, 100)
+        }
+      });
+      controlProps.titleText = OOOHPaneTitleText;
+    }
   }
   return /*#__PURE__*/React.createElement(OutOfOfficeHoursPane, {
     componentOverrides: props.componentOverrides,

package/lib/esm/firstresponselatency/util.js

@@ -64,11 +64,13 @@ export const polyfillMessagePayloadForEvent = (activity, payload, conversationId
   };
 };
 export const getScenarioType = activity => {
-  var _activity$from3, _activity$channelData4, _activity$channelData5;
-  if ((activity === null || activity === void 0 ? void 0 : (_activity$from3 = activity.from) === null || _activity$from3 === void 0 ? void 0 : _activity$from3.role) === Constants.userMessageTag) {
+  var _activity$from3, _activity$channelData4;
+  const role = activity === null || activity === void 0 ? void 0 : (_activity$from3 = activity.from) === null || _activity$from3 === void 0 ? void 0 : _activity$from3.role;
+  const tags = activity === null || activity === void 0 ? void 0 : (_activity$channelData4 = activity.channelData) === null || _activity$channelData4 === void 0 ? void 0 : _activity$channelData4.tags;
+  if (role === Constants.userMessageTag) {
     return ScenarioType.UserSendMessageStrategy;
   }
-  if (activity !== null && activity !== void 0 && (_activity$channelData4 = activity.channelData) !== null && _activity$channelData4 !== void 0 && (_activity$channelData5 = _activity$channelData4.tags) !== null && _activity$channelData5 !== void 0 && _activity$channelData5.includes(Constants.systemMessageTag)) {
+  if (tags && tags.includes(Constants.systemMessageTag) || role === Constants.channelMessageTag) {
     return ScenarioType.SystemMessageStrategy;
   }
   return ScenarioType.ReceivedMessageStrategy;

package/lib/types/common/Constants.d.ts

@@ -3,6 +3,7 @@ export declare class Constants {
     static readonly magicCodeResponseBroadcastChannel = "MagicCodeResponseChannel";
     static readonly systemMessageTag = "system";
     static readonly userMessageTag = "user";
+    static readonly channelMessageTag = "channel";
     static readonly historyMessageTag = "history";
     static readonly agentEndConversationMessageTag = "agentendconversation";
     static readonly supervisorForceCloseMessageTag = "supervisorforceclosedconversation";

package/lib/types/common/telemetry/TelemetryConstants.d.ts

@@ -238,6 +238,7 @@ export declare enum TelemetryEvent {
     UXNotificationPaneCompleted = "UXNotificationPaneCompleted",
     UXOutOfOfficeHoursPaneStart = "UXOutOfOfficeHoursPaneStart",
     UXOutOfOfficeHoursPaneCompleted = "UXOutOfOfficeHoursPaneCompleted",
+    XSSTextDetected = "XSSTextDetected",
     UXPostChatLoadingPaneStart = "UXPostChatLoadingPaneStart",
     UXPostChatLoadingPaneCompleted = "UXPostChatLoadingPaneCompleted",
     UXPrechatPaneStart = "UXPrechatPaneStart",

package/lib/types/common/telemetry/loggers/appInsightsLogger.d.ts

@@ -4,7 +4,7 @@ declare global {
         appInsights?: any;
     }
 }
-export declare const appInsightsLogger: (appInsightsKey: string, disableCookiesUsage: boolean) => IChatSDKLogger;
+export declare const appInsightsLogger: (appInsightsKey: string) => IChatSDKLogger;
 export interface ICustomProperties {
     [key: string]: any;
 }

package/lib/types/common/utils/xssUtils.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ *
+ * This function performs comprehensive XSS detection using pattern matching for common attack vectors
+ * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
+ * against various XSS techniques including script injection, event handler injection, style-based
+ * attacks, and encoded payloads.
+ *
+ * Security patterns detected:
+ * - JavaScript protocol URLs (javascript:)
+ * - HTML event handlers (onmouseover, onclick, etc.)
+ * - Script tags (<script>)
+ * - CSS expression() functions
+ * - CSS url() functions
+ * - Position-based CSS attacks (position: fixed/absolute)
+ * - VBScript protocol URLs
+ * - Data URLs with HTML content
+ * - Fragment identifiers with escaped quotes
+ * - HTML entity-encoded angle brackets
+ *
+ * @param text - The input text to be analyzed and sanitized
+ * @returns An object containing:
+ *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
+ *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ */
+export declare const detectAndCleanXSS: (text: string) => {
+    cleanText: string;
+    isXSSDetected: boolean;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/omnichannel-chat-widget",
-  "version": "1.8.1-main.65a1ab5",
+  "version": "1.8.1-main.6ec59e7",
   "description": "Microsoft Omnichannel Chat Widget",
   "main": "lib/cjs/index.js",
   "types": "lib/types/index.d.ts",