Improved data security for Chat Widget block - Read more on how to implement

Dear Canvas users,

We’ve recently added improved data security measures to our chat widget. It is now available in the newest version of the chat widget and you will be able to get it if the topinput_chat reusable element doesn’t already exist in your app. However, we’re unable to retroactively add the patch to existing Canvas apps that have already added the chat widget to their apps.

To implement this in your own Canvas app, you could follow one of the two approaches below:

Plugin-based approach, UI looks the same:

  1. Go to the chat block’s reusable element that you have added to your app. If you have added multiple different chat blocks to your app, there may be multiple reusable elements to edit.
    image

  2. Then, search for the workflow where a new Message is created along with user-entered text.
    image

  1. Install the plugin “XSS Tool” by Airdev.

  2. Before the workflow where a new Message is created, add a new workflow step using the “Sanitize text (XSS)” action from the plugin “XSS tool”. This step should use the same input as the “Create a new Message” workflow used.
    image

  3. Then, in the “Create a new Message” workflow, refer to the data source “Result of step 1’s Sanitized Text”.

  4. Test the above changes in your app to make sure they are working properly.

This fix has a slight performance tradeoff - it takes a little longer to send each message. However, it will improve the security of your app for all your users, so we highly recommend that you implement it.

Different approach to fixing bug: Bubble text element

  1. Change the HTML elements that are used to display the message text into a Bubble text element. There are multiple HTML elements on the page in some Chat reusable elements.

  2. Set up a workflow so that when this element is clicked, the attachment is downloaded. This workflow uses the Airdev “Download file” plugin, so you’d need to install that to use this approach.

This approach may require you to edit the styles of the text elements to match the styles of the old HTML groups.

Thanks,
Chris

2 Likes