npm - @microsoft/omnichannel-chat-widget - Versions diffs - 1.8.4-main.ffa5cbb → 1.8.5-0 - Mend

@microsoft/omnichannel-chat-widget 1.8.4-main.ffa5cbb → 1.8.5-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/lib/cjs/common/utils/xssUtils.js CHANGED Viewed

@@ -7,70 +7,42 @@ exports.detectAndCleanXSS = void 0;
 var _dompurify = _interopRequireDefault(require("dompurify"));
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  *
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  *
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- *
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 const detectAndCleanXSS = text => {
-  // Comprehensive array of regular expressions to detect common XSS attack patterns
-  const xssPatterns = [/javascript\s*:/gi,
-  // JavaScript protocol URLs (with optional spaces)
-  /vbscript\s*:/gi,
-  // VBScript protocol URLs (with optional spaces)
-  /on\w+\s*=/gi,
-  // HTML event handlers (onmouseover, onclick, onload, etc.)
-  /<\s*script/gi,
-  // Script tag opening (with optional spaces)
-  /expression\s*\(/gi,
-  // CSS expression() function (IE-specific)
-  /url\s*\(/gi,
-  // CSS url() function
-  /style\s*=.*position\s*:\s*fixed/gi,
-  // CSS position fixed attacks
-  /style\s*=.*position\s*:\s*absolute/gi,
-  // CSS position absolute attacks
-  /data\s*:\s*text\s*\/\s*html/gi,
-  // Data URLs containing HTML
-  /#.*\\"/gi,
-  // Fragment identifiers with escaped quotes
-  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
-  ];
-  // Check if any XSS patterns are detected in the input text
-  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
-  // Clean the text using DOMPurify with strict config
+  // Sanitize first to prevent mutation XSS (e.g., "s<iframe></iframe>tyle" → "style")
   const cleanText = _dompurify.default.sanitize(text, {
     ALLOWED_TAGS: [],
-    // No HTML tags allowed in title
     ALLOWED_ATTR: [],
     KEEP_CONTENT: true,
-    // Keep text content
     ALLOW_DATA_ATTR: false,
     ALLOW_UNKNOWN_PROTOCOLS: false,
     SANITIZE_DOM: true,
     FORCE_BODY: false
   });
+  const contentChanged = text !== cleanText;
+  // Non-global regex patterns to avoid stateful .test() issues
+  const xssPatterns = [/javascript\s*:/i, /vbscript\s*:/i, /on\w+\s*=/i,
+  // Event handlers
+  /<\s*script/i, /<\s*iframe/i, /<\s*object/i, /<\s*embed/i, /<\s*svg/i, /expression\s*\(/i,
+  // IE CSS expressions
+  /style\s*=.*position\s*:\s*(fixed|absolute)/i, /data\s*:\s*text\s*\/\s*html/i, /#.*\\"/i, /&(lt|gt|#x3c|#60|#x3e|#62);/i,
+  // HTML entities
+  /&#x?[0-9a-f]+;.*</i, /\u003c.*\u003e/i,
+  // Unicode escapes
+  /src\s*=\s*["']?\s*javascript:/i, /href\s*=\s*["']?\s*javascript:/i];
+  const hasXSSPattern = xssPatterns.some(pattern => {
+    return pattern.test(text) || pattern.test(cleanText);
+  });
+  const hasHTMLStructure = /<[^>]+>/.test(text) && !/<[^>]+>/.test(cleanText);
+  const isXSSDetected = contentChanged || hasXSSPattern || hasHTMLStructure;
   return {
     cleanText,
     isXSSDetected

package/lib/cjs/components/proactivechatpanestateful/ProactiveChatPaneStateful.js CHANGED Viewed

@@ -122,7 +122,6 @@ const ProactiveChatPaneStateful = props => {
     bodyTitleText: state.appStates.proactiveChatStates.proactiveChatBodyTitle ? state.appStates.proactiveChatStates.proactiveChatBodyTitle : proactiveChatProps === null || proactiveChatProps === void 0 ? void 0 : (_proactiveChatProps$c = proactiveChatProps.controlProps) === null || _proactiveChatProps$c === void 0 ? void 0 : _proactiveChatProps$c.bodyTitleText
   };
   (0, _react.useEffect)(() => {
-    (0, _utils.setFocusOnElement)(document.getElementById(controlProps.id + "-startbutton"));
     _TelemetryManager.TelemetryTimers.ProactiveChatScreenTimer = (0, _utils.createTimer)();
     const timeoutEvent = setTimeout(() => {
       handleProactiveChatInviteTimeout();

package/lib/esm/common/utils/xssUtils.js CHANGED Viewed

@@ -1,70 +1,42 @@
 import DOMPurify from "dompurify";
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  *
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  *
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- *
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 export const detectAndCleanXSS = text => {
-  // Comprehensive array of regular expressions to detect common XSS attack patterns
-  const xssPatterns = [/javascript\s*:/gi,
-  // JavaScript protocol URLs (with optional spaces)
-  /vbscript\s*:/gi,
-  // VBScript protocol URLs (with optional spaces)
-  /on\w+\s*=/gi,
-  // HTML event handlers (onmouseover, onclick, onload, etc.)
-  /<\s*script/gi,
-  // Script tag opening (with optional spaces)
-  /expression\s*\(/gi,
-  // CSS expression() function (IE-specific)
-  /url\s*\(/gi,
-  // CSS url() function
-  /style\s*=.*position\s*:\s*fixed/gi,
-  // CSS position fixed attacks
-  /style\s*=.*position\s*:\s*absolute/gi,
-  // CSS position absolute attacks
-  /data\s*:\s*text\s*\/\s*html/gi,
-  // Data URLs containing HTML
-  /#.*\\"/gi,
-  // Fragment identifiers with escaped quotes
-  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
-  ];
-  // Check if any XSS patterns are detected in the input text
-  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
-  // Clean the text using DOMPurify with strict config
+  // Sanitize first to prevent mutation XSS (e.g., "s<iframe></iframe>tyle" → "style")
   const cleanText = DOMPurify.sanitize(text, {
     ALLOWED_TAGS: [],
-    // No HTML tags allowed in title
     ALLOWED_ATTR: [],
     KEEP_CONTENT: true,
-    // Keep text content
     ALLOW_DATA_ATTR: false,
     ALLOW_UNKNOWN_PROTOCOLS: false,
     SANITIZE_DOM: true,
     FORCE_BODY: false
   });
+  const contentChanged = text !== cleanText;
+  // Non-global regex patterns to avoid stateful .test() issues
+  const xssPatterns = [/javascript\s*:/i, /vbscript\s*:/i, /on\w+\s*=/i,
+  // Event handlers
+  /<\s*script/i, /<\s*iframe/i, /<\s*object/i, /<\s*embed/i, /<\s*svg/i, /expression\s*\(/i,
+  // IE CSS expressions
+  /style\s*=.*position\s*:\s*(fixed|absolute)/i, /data\s*:\s*text\s*\/\s*html/i, /#.*\\"/i, /&(lt|gt|#x3c|#60|#x3e|#62);/i,
+  // HTML entities
+  /&#x?[0-9a-f]+;.*</i, /\u003c.*\u003e/i,
+  // Unicode escapes
+  /src\s*=\s*["']?\s*javascript:/i, /href\s*=\s*["']?\s*javascript:/i];
+  const hasXSSPattern = xssPatterns.some(pattern => {
+    return pattern.test(text) || pattern.test(cleanText);
+  });
+  const hasHTMLStructure = /<[^>]+>/.test(text) && !/<[^>]+>/.test(cleanText);
+  const isXSSDetected = contentChanged || hasXSSPattern || hasHTMLStructure;
   return {
     cleanText,
     isXSSDetected

package/lib/esm/components/proactivechatpanestateful/ProactiveChatPaneStateful.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { BroadcastEvent, LogLevel, TelemetryEvent } from "../../common/telemetry/TelemetryConstants";
 import React, { useEffect, useState } from "react";
-import { createTimer, setFocusOnElement } from "../../common/utils";
+import { createTimer } from "../../common/utils";
 import { BroadcastService } from "@microsoft/omnichannel-chat-components";
 import { Constants } from "../../common/Constants";
 import { ConversationState } from "../../contexts/common/ConversationState";
@@ -114,7 +114,6 @@ export const ProactiveChatPaneStateful = props => {
     bodyTitleText: state.appStates.proactiveChatStates.proactiveChatBodyTitle ? state.appStates.proactiveChatStates.proactiveChatBodyTitle : proactiveChatProps === null || proactiveChatProps === void 0 ? void 0 : (_proactiveChatProps$c = proactiveChatProps.controlProps) === null || _proactiveChatProps$c === void 0 ? void 0 : _proactiveChatProps$c.bodyTitleText
   };
   useEffect(() => {
-    setFocusOnElement(document.getElementById(controlProps.id + "-startbutton"));
     TelemetryTimers.ProactiveChatScreenTimer = createTimer();
     const timeoutEvent = setTimeout(() => {
       handleProactiveChatInviteTimeout();

package/lib/types/common/utils/xssUtils.d.ts CHANGED Viewed

@@ -1,27 +1,11 @@
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  *
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  *
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- *
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 export declare const detectAndCleanXSS: (text: string) => {
     cleanText: string;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/omnichannel-chat-widget",
-  "version": "1.8.4-main.ffa5cbb",
+  "version": "1.8.5-0",
   "description": "Microsoft Omnichannel Chat Widget",
   "main": "lib/cjs/index.js",
   "types": "lib/types/index.d.ts",
@@ -86,8 +86,8 @@
   "dependencies": {
     "@azure/core-tracing": "^1.2.0",
     "@microsoft/applicationinsights-web": "^3.3.6",
-    "@microsoft/omnichannel-chat-components": "1.1.16",
-    "@microsoft/omnichannel-chat-sdk": "^1.11.7-main.3418dc3",
+    "@microsoft/omnichannel-chat-components": "1.1.18",
+    "@microsoft/omnichannel-chat-sdk": "^1.11.7-main.f31f9b6",
     "@opentelemetry/api": "^1.9.0",
     "abort-controller": "^3",
     "abort-controller-es5": "^2.0.1",