8000 Add Docs Agent chat widget by morganmcg1 · Pull Request #1254 · wandb/docs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add Docs Agent chat widget #1254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue 8000 and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Add Docs Agent chat widget #1254

wants to merge 15 commits into from

Conversation

morganmcg1
Copy link
Member
  • Add chat widget
  • pretty
  • Add support chat widget and enhance agent message handling

@morganmcg1 morganmcg1 requested a review from a team as a code owner April 16, 2025 00:39
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 16, 2025
View reviewed changes
static/chat-widget.js Outdated
Comment on lines 309 to 314
msgDiv.innerHTML = `
<div class="chat-widget-ai-content-with-avatar">
<div class="chat-widget-ai-content">${text}</div>
<div class="chat-widget-ai-avatar-row">${beeSVG(24)}</div>
</div>
`;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link
cloudflare-workers-and-pages bot commented Apr 16, 2025
edited
Loading

Deploying docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8c21a35
Status: ✅  Deploy successful!
Preview URL: https://cf324826.docodile.pages.dev
Branch Preview URL: https://add-docs-agent-widget.docodile.pages.dev

View logs

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 17, 2025
View reviewed changes
static/chat-widget.js
</div>
`;
} else if (role === 'support') {
ms 8000 gDiv.innerHTML = supportWidget(text);

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 3 months ago

To fix the issue, we need to ensure that any user-provided input is properly escaped before being inserted into the DOM. The escapeHtml function already exists in the codebase and can be used to sanitize the text variable before it is passed to the supportWidget function. This will prevent any malicious HTML or JavaScript from being executed.

The fix involves:

  1. Modifying the appendMsg function to escape the text variable when the role is support.
  2. Ensuring that the supportWidget function only receives sanitized input.
Suggested changeset 1
static/chat-widget.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/static/chat-widget.js b/static/chat-widget.js
--- a/static/chat-widget.js
+++ b/static/chat-widget.js
@@ -521,3 +521,3 @@
       } else if (role === 'support') {
-        msgDiv.innerHTML = supportWidget(text);
+        msgDiv.innerHTML = supportWidget(escapeHtml(text));
       } else if (role === 'bot' && isHtml) {
EOF
@@ -521,3 +521,3 @@
} else if (role === 'support') {
msgDiv.innerHTML = supportWidget(text);
msgDiv.innerHTML = supportWidget(escapeHtml(text));
} else if (role === 'bot' && isHtml) {
Copilot is powered by AI and may make mistakes. Always verify output.
static/chat-widget.js
} else if (role === & 8000 #39;support') {
msgDiv.innerHTML = supportWidget(text);
} else if (role === 'bot' && isHtml) {
msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 3 months ago

To fix the issue, we need to ensure that any untrusted input is sanitized before being inserted into the DOM as HTML. Since the isHtml flag is used to determine whether the text should be treated as raw HTML, we can introduce a sanitization step for text when isHtml is true. A library like DOMPurify can be used to sanitize the HTML input, ensuring that only safe HTML is allowed. This approach preserves the intended functionality while mitigating the XSS risk.

Suggested changeset 2
static/chat-widget.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/static/chat-widget.js b/static/chat-widget.js
--- a/static/chat-widget.js
+++ b/static/chat-widget.js
@@ -2,2 +2,4 @@
 (function () {
+  // Import DOMPurify for sanitizing HTML
+  const DOMPurify = window.DOMPurify;
   // --- UUID v4 Generator ---
@@ -523,3 +525,3 @@
       } else if (role === 'bot' && isHtml) {
-        msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading
+        msgDiv.innerHTML = DOMPurify.sanitize(text); // Sanitize raw HTML for bot loading
       } else {
@@ -528,3 +530,3 @@
             <div class="chat-widget-ai-content-with-avatar">
-              <div class="chat-widget-ai-content">${text}</div>
+              <div class="chat-widget-ai-content">${DOMPurify.sanitize(text)}</div>
               <div class="chat-widget-ai-avatar-row">${wandbLogoOctagonSVG(28)}</div>
EOF
@@ -2,2 +2,4 @@
(function () {
// Import DOMPurify for sanitizing HTML
const DOMPurify = window.DOMPurify;
// --- UUID v4 Generator ---
@@ -523,3 +525,3 @@
} else if (role === 'bot' && isHtml) {
msgDiv.innerHTML = text; // Insert spinner raw HTML for bot loading
msgDiv.innerHTML = DOMPurify.sanitize(text); // Sanitize raw HTML for bot loading
} else {
@@ -528,3 +530,3 @@
<div class="chat-widget-ai-content-with-avatar">
<div class="chat-widget-ai-content">${text}</div>
<div class="chat-widget-ai-content">${DOMPurify.sanitize(text)}</div>
<div class="chat-widget-ai-avatar-row">${wandbLogoOctagonSVG(28)}</div>
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -47,2 +47,5 @@
     "singleQuote": true
+  },
+  "dependencies": {
+    "dompurify": "^3.2.5"
   }
EOF
@@ -47,2 +47,5 @@
"singleQuote": true
},
"dependencies": {
"dompurify": "^3.2.5"
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.5 None
Copilot is powered by AI and may make mistakes. Always verify output.
@mdlinville
Copy link
Contributor

Screenshot 2025-04-17 at 10 54 26 AM
I tried to interact with it but I am getting an error. Am I doing something wrong? I did it from https://add-docs-agent-widget.docodile.pages.dev/.

@morganmcg1
Copy link
Member Author

Oh yep, the backend needs to be running too: https://github.com/morganmcg1/demo-docs-bot

Will share instructions in the PR later once the backend code is tidied up

@morganmcg1 morganmcg1 changed the title add docs agent widget Add Docs Agent chat widget Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@morganmcg1 @mdlinville
0