From bcde9a3695065c05c9cd44fba026187e2cf24001 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 26 Nov 2015 10:44:28 +0100
Subject: [PATCH 1/3] Also remove svg in htmlCleanup(), htmlRemoveTags() and
 htmlRemoveRichtext().

---
 .../javascripts/app/lib/app_post/utils.coffee    |  8 ++++----
 public/assets/tests/html-utils.js                | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/app/assets/javascripts/app/lib/app_post/utils.coffee b/app/assets/javascripts/app/lib/app_post/utils.coffee
index 787cf2397..01520a2ad 100644
--- a/app/assets/javascripts/app/lib/app_post/utils.coffee
+++ b/app/assets/javascripts/app/lib/app_post/utils.coffee
@@ -116,7 +116,7 @@ class App.Utils
     )
 
     # remove tags & content
-    html.find('div, span, p, li, ul, ol, a, b, u, i, label, small, strong, strike, pre, code, center, blockquote, form, textarea, font, table, thead, tbody, tr, td, h1, h2, h3, h4, h5, h6, br, hr, img, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
+    html.find('div, span, p, li, ul, ol, a, b, u, i, label, small, strong, strike, pre, code, center, blockquote, form, textarea, font, table, thead, tbody, tr, td, h1, h2, h3, h4, h5, h6, br, hr, img, svg, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
 
     html
 
@@ -138,7 +138,7 @@ class App.Utils
     )
 
     # remove tags & content
-    html.find('li, ul, ol, a, b, u, i, label, small, strong, strike, pre, code, center, blockquote, form, textarea, font, address, table, thead, tbody, tr, td, h1, h2, h3, h4, h5, h6, hr, img, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
+    html.find('li, ul, ol, a, b, u, i, label, small, strong, strike, pre, code, center, blockquote, form, textarea, font, address, table, thead, tbody, tr, td, h1, h2, h3, h4, h5, h6, hr, img, svg, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
 
     html
 
@@ -155,7 +155,7 @@ class App.Utils
     @_removeWordMarkup(html)
 
     # remove tags, keep content
-    html.find('a, font, small, time').replaceWith( ->
+    html.find('a, font, small, time, form').replaceWith( ->
       $(@).contents()
     )
 
@@ -179,7 +179,7 @@ class App.Utils
     )
 
     # remove tags & content
-    html.find('form, font, hr, img, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
+    html.find('font, hr, img, svg, input, select, button, style, applet, embed, noframes, canvas, script, frame, iframe').remove()
 
     html
 
diff --git a/public/assets/tests/html-utils.js b/public/assets/tests/html-utils.js
index 2d190d843..385ddcde7 100644
--- a/public/assets/tests/html-utils.js
+++ b/public/assets/tests/html-utils.js
@@ -246,7 +246,7 @@ test("htmlRemoveTags", function() {
   result = App.Utils.htmlRemoveTags($(source))
   equal(result.html(), should, source)
 
-  source = "<div><form class=\"xxx\">test 123</form></div>"
+  source = "<div><form class=\"xxx\">test 123</form><svg><use xlink:href=\"assets/images/icons.svg#icon-status\"></svg></div>"
   //should = "<div>test 123</div>"
   should = "test 123"
   result = App.Utils.htmlRemoveRichtext($(source))
@@ -345,7 +345,7 @@ test("htmlRemoveRichtext", function() {
   result = App.Utils.htmlRemoveRichtext($(source))
   equal(result.html(), should, source)
 
-  source = "<div><font size=\"3\" color=\"red\">This is some text!</font></div>"
+  source = "<div><font size=\"3\" color=\"red\">This is some text!</font><svg><use xlink:href=\"assets/images/icons.svg#icon-status\"></svg></div>"
   //should = "<div>This is some text!</div>"
   should = "This is some text!"
   result = App.Utils.htmlRemoveRichtext($(source))
@@ -400,31 +400,31 @@ test("htmlCleanup", function() {
   source = "<div><div class=\"xxx\"><br></div></div>"
   //should = "<div><div><br></div></div>"
   should = "<div><br></div>"
-  result = App.Utils.htmlRemoveRichtext($(source))
+  result = App.Utils.htmlCleanup($(source))
   equal(result.html(), should, source)
 
   source = "<div><form class=\"xxx\">test 123</form></div>"
   //should = "<div>test 123<br></div>"
   should = "test 123"
-  result = App.Utils.htmlRemoveRichtext($(source))
+  result = App.Utils.htmlCleanup($(source))
   equal(result.html(), should, source)
 
   source = "<div><form class=\"xxx\">test 123</form> some other value</div>"
   //should = "<div>test 123 some other value</div>"
   should = "test 123 some other value"
-  result = App.Utils.htmlRemoveRichtext($(source))
+  result = App.Utils.htmlCleanup($(source))
   equal(result.html(), should, source)
 
   source = "<div><form class=\"xxx\">test 123</form> some other value<input value=\"should not be shown\"></div>"
   //should = "<div>test 123 some other value</div>"
   should = "test 123 some other value"
-  result = App.Utils.htmlRemoveRichtext($(source))
+  result = App.Utils.htmlCleanup($(source))
   equal(result.html(), should, source)
 
-  source = "<div><font size=\"3\" color=\"red\">This is some text!</font></div>"
+  source = "<div><font size=\"3\" color=\"red\">This is some text!</font><svg><use xlink:href=\"assets/images/icons.svg#icon-status\"></svg></div>"
   //should = "<div>This is some text!</div>"
   should = "This is some text!"
-  result = App.Utils.htmlRemoveRichtext($(source))
+  result = App.Utils.htmlCleanup($(source))
   equal(result.html(), should, source)
 
   source = "<div><p>some link to somewhere from word<w:sdt>abc</w:sdt></p><o:p></o:p></a>"

From 76a130ac96e61b39fee62e3104f2963d610e22ac Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 26 Nov 2015 10:50:23 +0100
Subject: [PATCH 2/3] Removed not longer needed checks.

---
 app/models/chat.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/app/models/chat.rb b/app/models/chat.rb
index dc2704c97..ccc9b47c3 100644
--- a/app/models/chat.rb
+++ b/app/models/chat.rb
@@ -5,7 +5,6 @@ class Chat < ApplicationModel
   store     :preferences
 
   def customer_state(session_id = nil)
-    return { state: 'chat_disabled' } if !Setting.get('chat')
 
     # reconnect
     if session_id
@@ -63,7 +62,6 @@ class Chat < ApplicationModel
   end
 
   def self.agent_state(user_id)
-    return { state: 'chat_disabled' } if !Setting.get('chat')
     assets = {}
     Chat.where(active: true).each {|chat|
       assets = chat.assets(assets)

From 0314a67ee9a5de6211991ecb12012d0ade3ec1b1 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 26 Nov 2015 10:51:25 +0100
Subject: [PATCH 3/3] Use content editable widget to prevent not wanted html
 injections.

---
 app/assets/javascripts/app/controllers/chat.coffee | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/assets/javascripts/app/controllers/chat.coffee b/app/assets/javascripts/app/controllers/chat.coffee
index 702908b3a..da34f17da 100644
--- a/app/assets/javascripts/app/controllers/chat.coffee
+++ b/app/assets/javascripts/app/controllers/chat.coffee
@@ -294,6 +294,12 @@ class ChatWindow extends App.Controller
     if event.data and event.data.callback
       event.data.callback()
 
+    @$('.js-customerChatInput').ce({
+      mode:      'richtext'
+      multiline: true
+      maxlength: 40000
+    })
+
   close: =>
     @el.one 'transitionend', { callback: @release }, @onTransitionend
     @el.removeClass('is-open')