@microsoft/omnichannel-chat-widget 1.8.4-main.ffa5cbb → 1.8.5

package/lib/cjs/common/utils/xssUtils.js

@@ -7,70 +7,42 @@ exports.detectAndCleanXSS = void 0;
 var _dompurify = _interopRequireDefault(require("dompurify"));
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  * 
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  * 
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- * 
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 const detectAndCleanXSS = text => {
-  // Comprehensive array of regular expressions to detect common XSS attack patterns
-  const xssPatterns = [/javascript\s*:/gi,
-  // JavaScript protocol URLs (with optional spaces)
-  /vbscript\s*:/gi,
-  // VBScript protocol URLs (with optional spaces)
-  /on\w+\s*=/gi,
-  // HTML event handlers (onmouseover, onclick, onload, etc.)
-  /<\s*script/gi,
-  // Script tag opening (with optional spaces)
-  /expression\s*\(/gi,
-  // CSS expression() function (IE-specific)
-  /url\s*\(/gi,
-  // CSS url() function
-  /style\s*=.*position\s*:\s*fixed/gi,
-  // CSS position fixed attacks
-  /style\s*=.*position\s*:\s*absolute/gi,
-  // CSS position absolute attacks
-  /data\s*:\s*text\s*\/\s*html/gi,
-  // Data URLs containing HTML
-  /#.*\\"/gi,
-  // Fragment identifiers with escaped quotes
-  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
-  ];
-
-  // Check if any XSS patterns are detected in the input text
-  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
-
-  // Clean the text using DOMPurify with strict config
+  // Sanitize first to prevent mutation XSS (e.g., "s<iframe></iframe>tyle" → "style")
   const cleanText = _dompurify.default.sanitize(text, {
     ALLOWED_TAGS: [],
-    // No HTML tags allowed in title
     ALLOWED_ATTR: [],
     KEEP_CONTENT: true,
-    // Keep text content
     ALLOW_DATA_ATTR: false,
     ALLOW_UNKNOWN_PROTOCOLS: false,
     SANITIZE_DOM: true,
     FORCE_BODY: false
   });
+  const contentChanged = text !== cleanText;
+
+  // Non-global regex patterns to avoid stateful .test() issues
+  const xssPatterns = [/javascript\s*:/i, /vbscript\s*:/i, /on\w+\s*=/i,
+  // Event handlers
+  /<\s*script/i, /<\s*iframe/i, /<\s*object/i, /<\s*embed/i, /<\s*svg/i, /expression\s*\(/i,
+  // IE CSS expressions
+  /style\s*=.*position\s*:\s*(fixed|absolute)/i, /data\s*:\s*text\s*\/\s*html/i, /#.*\\"/i, /&(lt|gt|#x3c|#60|#x3e|#62);/i,
+  // HTML entities
+  /&#x?[0-9a-f]+;.*</i, /\u003c.*\u003e/i,
+  // Unicode escapes
+  /src\s*=\s*["']?\s*javascript:/i, /href\s*=\s*["']?\s*javascript:/i];
+  const hasXSSPattern = xssPatterns.some(pattern => {
+    return pattern.test(text) || pattern.test(cleanText);
+  });
+  const hasHTMLStructure = /<[^>]+>/.test(text) && !/<[^>]+>/.test(cleanText);
+  const isXSSDetected = contentChanged || hasXSSPattern || hasHTMLStructure;
   return {
     cleanText,
     isXSSDetected

package/lib/cjs/components/proactivechatpanestateful/ProactiveChatPaneStateful.js

@@ -122,7 +122,6 @@ const ProactiveChatPaneStateful = props => {
     bodyTitleText: state.appStates.proactiveChatStates.proactiveChatBodyTitle ? state.appStates.proactiveChatStates.proactiveChatBodyTitle : proactiveChatProps === null || proactiveChatProps === void 0 ? void 0 : (_proactiveChatProps$c = proactiveChatProps.controlProps) === null || _proactiveChatProps$c === void 0 ? void 0 : _proactiveChatProps$c.bodyTitleText
   };
   (0, _react.useEffect)(() => {
-    (0, _utils.setFocusOnElement)(document.getElementById(controlProps.id + "-startbutton"));
     _TelemetryManager.TelemetryTimers.ProactiveChatScreenTimer = (0, _utils.createTimer)();
     const timeoutEvent = setTimeout(() => {
       handleProactiveChatInviteTimeout();

package/lib/esm/common/utils/xssUtils.js

@@ -1,70 +1,42 @@
 import DOMPurify from "dompurify";
 
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  * 
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  * 
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- * 
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 export const detectAndCleanXSS = text => {
-  // Comprehensive array of regular expressions to detect common XSS attack patterns
-  const xssPatterns = [/javascript\s*:/gi,
-  // JavaScript protocol URLs (with optional spaces)
-  /vbscript\s*:/gi,
-  // VBScript protocol URLs (with optional spaces)
-  /on\w+\s*=/gi,
-  // HTML event handlers (onmouseover, onclick, onload, etc.)
-  /<\s*script/gi,
-  // Script tag opening (with optional spaces)
-  /expression\s*\(/gi,
-  // CSS expression() function (IE-specific)
-  /url\s*\(/gi,
-  // CSS url() function
-  /style\s*=.*position\s*:\s*fixed/gi,
-  // CSS position fixed attacks
-  /style\s*=.*position\s*:\s*absolute/gi,
-  // CSS position absolute attacks
-  /data\s*:\s*text\s*\/\s*html/gi,
-  // Data URLs containing HTML
-  /#.*\\"/gi,
-  // Fragment identifiers with escaped quotes
-  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
-  ];
-
-  // Check if any XSS patterns are detected in the input text
-  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
-
-  // Clean the text using DOMPurify with strict config
+  // Sanitize first to prevent mutation XSS (e.g., "s<iframe></iframe>tyle" → "style")
   const cleanText = DOMPurify.sanitize(text, {
     ALLOWED_TAGS: [],
-    // No HTML tags allowed in title
     ALLOWED_ATTR: [],
     KEEP_CONTENT: true,
-    // Keep text content
     ALLOW_DATA_ATTR: false,
     ALLOW_UNKNOWN_PROTOCOLS: false,
     SANITIZE_DOM: true,
     FORCE_BODY: false
   });
+  const contentChanged = text !== cleanText;
+
+  // Non-global regex patterns to avoid stateful .test() issues
+  const xssPatterns = [/javascript\s*:/i, /vbscript\s*:/i, /on\w+\s*=/i,
+  // Event handlers
+  /<\s*script/i, /<\s*iframe/i, /<\s*object/i, /<\s*embed/i, /<\s*svg/i, /expression\s*\(/i,
+  // IE CSS expressions
+  /style\s*=.*position\s*:\s*(fixed|absolute)/i, /data\s*:\s*text\s*\/\s*html/i, /#.*\\"/i, /&(lt|gt|#x3c|#60|#x3e|#62);/i,
+  // HTML entities
+  /&#x?[0-9a-f]+;.*</i, /\u003c.*\u003e/i,
+  // Unicode escapes
+  /src\s*=\s*["']?\s*javascript:/i, /href\s*=\s*["']?\s*javascript:/i];
+  const hasXSSPattern = xssPatterns.some(pattern => {
+    return pattern.test(text) || pattern.test(cleanText);
+  });
+  const hasHTMLStructure = /<[^>]+>/.test(text) && !/<[^>]+>/.test(cleanText);
+  const isXSSDetected = contentChanged || hasXSSPattern || hasHTMLStructure;
   return {
     cleanText,
     isXSSDetected

package/lib/esm/components/proactivechatpanestateful/ProactiveChatPaneStateful.js

@@ -1,6 +1,6 @@
 import { BroadcastEvent, LogLevel, TelemetryEvent } from "../../common/telemetry/TelemetryConstants";
 import React, { useEffect, useState } from "react";
-import { createTimer, setFocusOnElement } from "../../common/utils";
+import { createTimer } from "../../common/utils";
 import { BroadcastService } from "@microsoft/omnichannel-chat-components";
 import { Constants } from "../../common/Constants";
 import { ConversationState } from "../../contexts/common/ConversationState";
@@ -114,7 +114,6 @@ export const ProactiveChatPaneStateful = props => {
     bodyTitleText: state.appStates.proactiveChatStates.proactiveChatBodyTitle ? state.appStates.proactiveChatStates.proactiveChatBodyTitle : proactiveChatProps === null || proactiveChatProps === void 0 ? void 0 : (_proactiveChatProps$c = proactiveChatProps.controlProps) === null || _proactiveChatProps$c === void 0 ? void 0 : _proactiveChatProps$c.bodyTitleText
   };
   useEffect(() => {
-    setFocusOnElement(document.getElementById(controlProps.id + "-startbutton"));
     TelemetryTimers.ProactiveChatScreenTimer = createTimer();
     const timeoutEvent = setTimeout(() => {
       handleProactiveChatInviteTimeout();

package/lib/types/common/utils/xssUtils.d.ts

@@ -1,27 +1,11 @@
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  *
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  *
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- *
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 export declare const detectAndCleanXSS: (text: string) => {
     cleanText: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/omnichannel-chat-widget",
-  "version": "1.8.4-main.ffa5cbb",
+  "version": "1.8.5",
   "description": "Microsoft Omnichannel Chat Widget",
   "main": "lib/cjs/index.js",
   "types": "lib/types/index.d.ts",
@@ -86,8 +86,8 @@
   "dependencies": {
     "@azure/core-tracing": "^1.2.0",
     "@microsoft/applicationinsights-web": "^3.3.6",
-    "@microsoft/omnichannel-chat-components": "1.1.16",
-    "@microsoft/omnichannel-chat-sdk": "^1.11.7-main.3418dc3",
+    "@microsoft/omnichannel-chat-components": "1.1.18",
+    "@microsoft/omnichannel-chat-sdk": "^1.11.7-main.f31f9b6",
     "@opentelemetry/api": "^1.9.0",
     "abort-controller": "^3",
     "abort-controller-es5": "^2.0.1",