CVE-2022-21830

An attacker can craft a malicious payload (e.g., an HTML snippet or JavaScript URI) and trick a victim into pasting it into the LiveChat composer input. Because the widget did not sanitize `innerText` before passing it to the `onChange` handler, and did not sanitize the rendered Markdown HTML, the payload would be injected into the page and executed in the victim's browser session. This is a blind self-XSS scenario: the attacker cannot directly inject the payload but relies on social engineering to make the victim paste the malicious content. [CWE-79]

The vulnerability resides in `src/components/Composer/index.js` and `src/components/Messages/MessageText/markdown.js`. The `handleInput` callback passed user-supplied `innerText` directly to `onChange` without sanitization, and the `renderMarkdown` function rendered Markdown to HTML without sanitizing the output. Both paths allowed unneutralized user input to be placed into the page DOM, enabling cross-site scripting.

The patch adds the `dompurify` library (version 2.2.6) and imports its `sanitize` function in two files. In `Composer/index.js`, the `handleInput` callback now wraps `this.el.innerText` with `sanitize()` before passing it to `onChange`. In `Messages/MessageText/markdown.js`, the `renderMarkdown` function now passes the output of `md.render()` through `sanitize()`. These changes ensure that any HTML or JavaScript injected via user input is stripped or escaped before being rendered in the DOM, closing the XSS vector.