From 3038e672f817a25f608b85bb4b457e5c56f597a4 Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Wed, 20 Aug 2025 20:23:42 +0200 Subject: [PATCH 1/3] chore(annotations): sync model annotations with current schema (#12245) - Update Schema Information headers for AssignmentPolicy, Campaign, Notification - Reflect schema change for Campaign.template_params (not null with default) - Keep annotations consistent to avoid drift --- app/models/assignment_policy.rb | 2 +- app/models/notification.rb | 1 + db/migrate/20250709102213_add_template_params_to_campaigns.rb | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/models/assignment_policy.rb b/app/models/assignment_policy.rb index c01ab91c4..a76893d61 100644 --- a/app/models/assignment_policy.rb +++ b/app/models/assignment_policy.rb @@ -3,7 +3,7 @@ # Table name: assignment_policies # # id :bigint not null, primary key -# assignment_order :integer default(0), not null +# assignment_order :integer default("round_robin"), not null # conversation_priority :integer default("earliest_created"), not null # description :text # enabled :boolean default(TRUE), not null diff --git a/app/models/notification.rb b/app/models/notification.rb index 8c4162702..db07e3679 100644 --- a/app/models/notification.rb +++ b/app/models/notification.rb @@ -19,6 +19,7 @@ # # Indexes # +# idx_notifications_performance (user_id,account_id,snoozed_until,read_at) # index_notifications_on_account_id (account_id) # index_notifications_on_last_activity_at (last_activity_at) # index_notifications_on_user_id (user_id) diff --git a/db/migrate/20250709102213_add_template_params_to_campaigns.rb b/db/migrate/20250709102213_add_template_params_to_campaigns.rb index d70359b30..99d29071f 100644 --- a/db/migrate/20250709102213_add_template_params_to_campaigns.rb +++ b/db/migrate/20250709102213_add_template_params_to_campaigns.rb @@ -1,5 +1,5 @@ class AddTemplateParamsToCampaigns < ActiveRecord::Migration[7.1] def change - add_column :campaigns, :template_params, :jsonb, default: {}, null: false + add_column :campaigns, :template_params, :jsonb end end From 714f24de11db3607103bf871220d7e6f4805ea7e Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Wed, 20 Aug 2025 21:39:50 +0200 Subject: [PATCH 2/3] revert: "fix(sdk): Ignore messages from a different origin and sanitizee URLs (#8879)" (#12248) This reverts commit a42b99ada0621e2805a39038152dbf211fcac17f. fixes: #12247 --- app/javascript/sdk/IFrameHelper.js | 33 ++---------------------------- 1 file changed, 2 insertions(+), 31 deletions(-) diff --git a/app/javascript/sdk/IFrameHelper.js b/app/javascript/sdk/IFrameHelper.js index 25f90912d..3ab1ba1f5 100644 --- a/app/javascript/sdk/IFrameHelper.js +++ b/app/javascript/sdk/IFrameHelper.js @@ -50,35 +50,11 @@ const updateCampaignReadStatus = baseDomain => { }); }; -const sanitizeURL = url => { - if (url === '') return ''; - - try { - // any invalid url will not be accepted - // example - JaVaScRiP%0at:alert(document.domain)" - // this has an obfuscated javascript protocol - const parsedURL = new URL(url); - - // filter out dangerous protocols like `javascript`, `data`, `vbscript` - if (!['https', 'http'].includes(parsedURL.protocol)) { - throw new Error('Invalid Protocol'); - } - } catch (e) { - // eslint-disable-next-line no-console - console.error('Invalid URL', e); - } - - return 'about:blank'; // blank page URL -}; - export const IFrameHelper = { getUrl({ baseUrl, websiteToken }) { - baseUrl = sanitizeURL(baseUrl); return `${baseUrl}/widget?website_token=${websiteToken}`; }, createFrame: ({ baseUrl, websiteToken }) => { - baseUrl = sanitizeURL(baseUrl); - if (IFrameHelper.getAppFrame()) { return; } @@ -126,12 +102,10 @@ export const IFrameHelper = { window.onmessage = e => { if ( typeof e.data !== 'string' || - e.data.indexOf('chatwoot-widget:') !== 0 || - e.origin !== window.location.origin + e.data.indexOf('chatwoot-widget:') !== 0 ) { return; } - const message = JSON.parse(e.data.replace('chatwoot-widget:', '')); if (typeof IFrameHelper.events[message.event] === 'function') { IFrameHelper.events[message.event](message); @@ -166,9 +140,7 @@ export const IFrameHelper = { }, setupAudioListeners: () => { - let { baseUrl = '' } = window.$chatwoot; - baseUrl = sanitizeURL(baseUrl); - + const { baseUrl = '' } = window.$chatwoot; getAlertAudio(baseUrl, { type: 'widget', alertTone: 'ding' }).then(() => initOnEvents.forEach(event => { document.removeEventListener( @@ -262,7 +234,6 @@ export const IFrameHelper = { }, popoutChatWindow: ({ baseUrl, websiteToken, locale }) => { - baseUrl = sanitizeURL(baseUrl); const cwCookie = Cookies.get('cw_conversation'); window.$chatwoot.toggle('close'); popoutChatWindow(baseUrl, websiteToken, locale, cwCookie); From ae3ac33049432aa6fa54cd2010895ba2f3b67980 Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Wed, 20 Aug 2025 21:44:30 +0200 Subject: [PATCH 3/3] Bump version to 4.5.2 --- config/app.yml | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/app.yml b/config/app.yml index cc7233c18..d11111fbc 100644 --- a/config/app.yml +++ b/config/app.yml @@ -1,5 +1,5 @@ shared: &shared - version: '4.5.1' + version: '4.5.2' development: <<: *shared diff --git a/package.json b/package.json index 8dc6b2565..31d07021e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@chatwoot/chatwoot", - "version": "4.5.1", + "version": "4.5.2", "license": "MIT", "scripts": { "eslint": "eslint app/**/*.{js,vue}",