Skip to content

Add Docs Agent chat widget#1254

Closed
morganmcg1 wants to merge 15 commits into
mainfrom
add_docs_agent_widget
Closed

Add Docs Agent chat widget#1254
morganmcg1 wants to merge 15 commits into
mainfrom
add_docs_agent_widget

Conversation

@morganmcg1

Copy link
Copy Markdown
Member
  • Add chat widget
  • pretty
  • Add support chat widget and enhance agent message handling

@morganmcg1 morganmcg1 requested a review from a team as a code owner April 16, 2025 00:39
Comment thread static/chat-widget.js Fixed
Comment thread static/chat-widget.js
Comment on lines +309 to +314
msgDiv.innerHTML = `
<div class="chat-widget-ai-content-with-avatar">
<div class="chat-widget-ai-content">${text}</div>
<div class="chat-widget-ai-avatar-row">${beeSVG(24)}</div>
</div>
`;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML

[DOM text](1) is reinterpreted as HTML without escaping meta-characters.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Apr 16, 2025

Copy link
Copy Markdown

Deploying docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8c21a35
Status: ✅  Deploy successful!
Preview URL: https://cf324826.docodile.pages.dev
Branch Preview URL: https://add-docs-agent-widget.docodile.pages.dev

View logs

Comment thread static/chat-widget.js
</div>
`;
} else if (role === 'support') {
msgDiv.innerHTML = supportWidget(text);

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML

[DOM text](1) is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI about 1 year ago

To fix the issue, we need to ensure that any user-provided input is properly escaped before being inserted into the DOM. The escapeHtml function already exists in the codebase and can be used to sanitize the text variable before it is passed to the supportWidget function. This will prevent any malicious HTML or JavaScript from being executed.

The fix involves:

  1. Modifying the appendMsg function to escape the text variable when the role is support.
  2. Ensuring that the supportWidget function only receives sanitized input.
Suggested changeset 1
static/chat-widget.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/static/chat-widget.js b/static/chat-widget.js
--- a/static/chat-widget.js
+++ b/static/chat-widget.js
@@ -521,3 +521,3 @@
       } else if (role === 'support') {
-        msgDiv.innerHTML = supportWidget(text);
+        msgDiv.innerHTML = supportWidget(escapeHtml(text));
       } else if (role === 'bot' && isHtml) {
EOF
@@ -521,3 +521,3 @@
} else if (role === 'support') {
msgDiv.innerHTML = supportWidget(text);
msgDiv.innerHTML = supportWidget(escapeHtml(text));
} else if (role === 'bot' && isHtml) {
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread static/chat-widget.js
} else if (role === 'support') {
msgDiv.innerHTML = supportWidget(text);
} else if (role === 'bot' && isHtml) {
msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML

[DOM text](1) is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI about 1 year ago

To fix the issue, we need to ensure that any untrusted input is sanitized before being inserted into the DOM as HTML. Since the isHtml flag is used to determine whether the text should be treated as raw HTML, we can introduce a sanitization step for text when isHtml is true. A library like DOMPurify can be used to sanitize the HTML input, ensuring that only safe HTML is allowed. This approach preserves the intended functionality while mitigating the XSS risk.

Suggested changeset 2
static/chat-widget.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/static/chat-widget.js b/static/chat-widget.js
--- a/static/chat-widget.js
+++ b/static/chat-widget.js
@@ -2,2 +2,4 @@
 (function () {
+  // Import DOMPurify for sanitizing HTML
+  const DOMPurify = window.DOMPurify;
   // --- UUID v4 Generator ---
@@ -523,3 +525,3 @@
       } else if (role === 'bot' && isHtml) {
-        msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading
+        msgDiv.innerHTML = DOMPurify.sanitize(text); // Sanitize raw HTML for bot loading
       } else {
@@ -528,3 +530,3 @@
             <div class="chat-widget-ai-content-with-avatar">
-              <div class="chat-widget-ai-content">${text}</div>
+              <div class="chat-widget-ai-content">${DOMPurify.sanitize(text)}</div>
               <div class="chat-widget-ai-avatar-row">${wandbLogoOctagonSVG(28)}</div>
EOF
@@ -2,2 +2,4 @@
(function () {
// Import DOMPurify for sanitizing HTML
const DOMPurify = window.DOMPurify;
// --- UUID v4 Generator ---
@@ -523,3 +525,3 @@
} else if (role === 'bot' && isHtml) {
msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading
msgDiv.innerHTML = DOMPurify.sanitize(text); // Sanitize raw HTML for bot loading
} else {
@@ -528,3 +530,3 @@
<div class="chat-widget-ai-content-with-avatar">
<div class="chat-widget-ai-content">${text}</div>
<div class="chat-widget-ai-content">${DOMPurify.sanitize(text)}</div>
<div class="chat-widget-ai-avatar-row">${wandbLogoOctagonSVG(28)}</div>
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -47,2 +47,5 @@
     "singleQuote": true
+  },
+  "dependencies": {
+    "dompurify": "^3.2.5"
   }
EOF
@@ -47,2 +47,5 @@
"singleQuote": true
},
"dependencies": {
"dompurify": "^3.2.5"
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.5 None
Copilot is powered by AI and may make mistakes. Always verify output.
@mdlinville

Copy link
Copy Markdown
Contributor

Screenshot 2025-04-17 at 10 54 26 AM
I tried to interact with it but I am getting an error. Am I doing something wrong? I did it from https://add-docs-agent-widget.docodile.pages.dev/.

@morganmcg1

Copy link
Copy Markdown
Member Author

Oh yep, the backend needs to be running too: https://github.com/morganmcg1/demo-docs-bot

Will share instructions in the PR later once the backend code is tidied up

@morganmcg1 morganmcg1 changed the title add docs agent widget Add Docs Agent chat widget Apr 22, 2025
@johndmulhausen

Copy link
Copy Markdown
Contributor

Closing since this isn't the direction we're going. Thanks, Morgan!

@johndmulhausen johndmulhausen deleted the add_docs_agent_widget branch August 29, 2025 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants