Merge pull request #78 from webitel/hotfix/sanitize-chat-input

Hotfix/sanitize chat input
webitel · Oct 1, 2024 · e5646b8 · e5646b8
2 parents beaac16 + fd3e2f9
commit e5646b8
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 14 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "omnichannel-widget",
-  "version": "24.08.0",
+  "version": "24.08.1",
   "private": true,
   "scripts": {
     "serve": "vue-cli-service serve",
@@ -18,7 +18,9 @@
     "axios": "^0.27.2",
     "core-js": "^3.6.5",
     "deepmerge": "^4.2.2",
+    "dompurify": "^3.1.7",
     "emoji-picker-element": "^1.11.3",
+    "he": "^1.2.0",
     "insert-text-at-cursor": "^0.3.0",
     "jssip": "^3.10.0",
     "linkifyjs": "^3.0.0-beta.3",

diff --git a/...hat/components/wt-omni-widget-chat-content/messages/message/message-text/message-text.vue b/...hat/components/wt-omni-widget-chat-content/messages/message/message-text/message-text.vue
@@ -7,6 +7,8 @@
 
 <script>
 import linkifyHtml from 'linkifyjs/html';
+import dompurify from 'dompurify';
+import he from 'he';
 
 export default {
   name: 'message-text',
@@ -18,7 +20,7 @@ export default {
   },
   computed: {
     parsedText() {
-      return linkifyHtml(this.text, {
+      return linkifyHtml(he.encode(dompurify.sanitize(this.text)), {
         target: '_blank',
       });
     },

diff --git a/src/modules/chat/components/wt-omni-widget-chat-footer/chat-input.vue b/src/modules/chat/components/wt-omni-widget-chat-footer/chat-input.vue
@@ -9,8 +9,8 @@
         :placeholder="$t('chat.inputPlaceholder')"
         :value="draft"
         class="wt-omni-widget-chat-input__textarea"
-        @input="setDraft($event.target.value)"
-        @keypress.enter.prevent="handleEnter"
+        @input="handleInput($event.target.value)"
+        @keypress.enter="handleEnter"
       ></textarea>
     </div>
     <chat-footer-actions
@@ -22,6 +22,7 @@
 
 <script>
 import autosize from 'autosize';
+import dompurify from 'dompurify';
 import insertTextAtCursor from 'insert-text-at-cursor';
 import { mapActions, mapState } from 'vuex';
 import ChatFooterActions from './chat-footer-actions.vue';
@@ -49,10 +50,13 @@ export default {
         return dispatch(`${this.namespace}/SET_DRAFT`, payload);
       },
     }),
+    handleInput(value) {
+      const purifiedValue = dompurify.sanitize(value);
+      this.setDraft(purifiedValue);
+    },
     handleEnter(event) {
-      if (event.shiftKey || event.ctrlKey) {
-        this.setDraft(this.draft.concat('\n'));
-      } else {
+      if (!event.shiftKey && !event.ctrlKey) {
+        event.preventDefault();
         this.sendDraft(event);
       }
     },