Live Helper Chat

1. Notable changes since 4.84v

   • Security and access control: tightened chat operation permissions by requiring proper read/write access checks; additional permission hardening was applied across related flows.
   • CSP and policy handling: completed CSP parser integration and follow-up fixes, including policy exposure hardening and parser/library alignment.
   • Voice messaging and widget UX: improved voice-message flow and UX, updated voice app behavior, kept cursor focus on desktop, and added a widget-theme option to disable voice messages.
   • Translation workflow: improved automatic translation reliability, added DeepL model/formality options, enhanced metadata/error handling, and refined start/stop and old-message translation flows.
   • Analytics and timing metrics: improved chat duration/response-time calculations, participant timing accounting, and operator duration output in reports.
   • REST API and diagnostics: added optional custom REST API messages, improved exception visibility/traceback details, and enabled direct log viewing from back office.
   • Invitations and online-hours logic: enhanced invitation alias/profile handling and improved overlapping online-hours period calculations.
   • UI/translations/dependencies: updated translations, refreshed JS dependencies (including html-react-parser migration), and applied multiple package/security updates.
   • Misc fixes: delivered issue-specific fixes and regressions cleanup (including #2378, #2379, #2382), plus release workflow updates.

2. Summary

   • This release focuses on security hardening, CSP maturity, and operator productivity, while also improving voice messaging UX and translation automation quality.
   • It also improves chat/mail timing metrics and diagnostics, with additional stability updates across UI, dependencies, and release automation.

No new DB migration script required for this release.

Full Changelog: https://github.com/LiveHelperChat/livehelperchat/compare/4.84v...4.85v

1. Notable changes since 4.83v

   • REST API and bot workflow: improved REST API trigger execution and request body handling with attachment support; added skipped-body debug preview; enhanced chat locking behavior for streaming and chunked responses while preserving typing indicators.
   • Widget and UI: expanded widget theme customization options (including color controls), applied theme colors to offline form, improved message delivery indicator styling, fixed height adjustments and zoom/icon interaction issues, and added support for custom nick from admin themes.
   • Notifications and operator workflow: added assignment notification preferences (assigned pending chats vs all pending chats), quick action for auto-assignment, and persistent disabling of mobile notifications.
   • Chat filters and analytics: added participant filters to chat search, improved filters and restored pagination behavior, added participant-aware export enhancements, and introduced average chat duration by agent/participant.
   • File validation and security hardening: expanded MIME type handling for common file types and strengthened uploaded file verification (including file preview upload flow).
   • Translation and UX polish: improved translation error handling and transaction flow, added operator notice for active chat translation state, and updated translations across modules.
   • Core/codebase maintenance: added new tables and schema updates, improved error/log reporting and timing diagnostics (render and DB connection timing), and modernized PHP code style in core files.

2. Summary

   • This release focuses on reliability and operator experience: stronger REST API/bot handling, better widget customization and messaging UX, richer notification controls, and improved chat search/export analytics.
   • It also includes security-oriented file validation improvements, translation workflow refinements, and core maintenance updates for better observability and long-term stability.

execute doc/update_db/update_351.sql for update

What's Changed

• Msg fix by @remdex in https://github.com/LiveHelperChat/livehelperchat/pull/2370
• refactor: modernize syntax and simplify code by @NullSablex in https://github.com/LiveHelperChat/livehelperchat/pull/2371
• 4.84v by @remdex in https://github.com/LiveHelperChat/livehelperchat/pull/2374

Full Changelog: https://github.com/LiveHelperChat/livehelperchat/compare/4.83v...4.84v

1. Notable changes since 4.82v

   • Chat list sorting: added sort options for highest and lowest message count in chat lists; a validation warning is shown when sorting by message count without a date range of 31 days or less.
   • Webhooks: debug mode support added to processEvent in both chat and mail conversation continuous webhook classes; new validation conditions notempty and in_list; improved error handling and logging; webhook form updated with chat ID testing and improved button styling; test pattern module enhanced with webhook ID validation.
   • Dropdown: "Select all" and "Unselect all" buttons added to multi-select dropdowns across the back-office; dropdown plugin and render helper updated accordingly.
   • Subject filter: subject filter conditions added to the chat list search panel and mail conversation search panel; department user dep logic enhanced.
   • Widget: bumped to version 272; improved screenAttributesUpdate height/width calculations for better responsiveness across screen sizes; wrapper now passes its version to the API; fixed proper termination in wrapper source.
   • Canned messages: fixed auto-uppercase breaking text input in the new rich-text editor (LHCEditor).
   • REST API: fixed authentication validator regression.
   • Chat core: added support for dashes in chat handling logic.
   • Templates: minor fixes in chat lists template and survey fill-widget template.

2. Summary

   • This release improves chat list usability with message count sorting, strengthens webhook debugging with debug mode and new validation conditions, and enhances multi-select dropdowns with select-all/unselect-all controls.
   • Widget responsiveness and wrapper version reporting are improved; canned message auto-uppercase and REST API auth issues are resolved.

execute doc/update_db/update_350.sql for update

Full Changelog: https://github.com/LiveHelperChat/livehelperchat/compare/4.82v...4.83v

1. Notable changes since 4.81v

   • Security/file handling: enhanced MIME type validation across file download endpoints (downloadfile.php, inlinedownload.php, REST API file.php); MIME type constants added in mail conversation parser; all operator/visitor uploads validated against var folder path; resolved security issues L01, L02, L04, L05, L06, L11, L13.
   • Widget: added expand mode with configurable width/height ratios and new shrink_text/expand_text UI fields; widget communication updated to include user session prefill variables in sent messages; fixed reloadWidget function; updated wrapper version.
   • Chat search/statistics: added message count filters (operators, visitors, bots) to search panel and statistics tabs; added total messages count input field; added search by message ID range.
   • Chat tab visibility: operators can toggle chat tab visibility (show/hide chat tabs) via quick actions in user settings.
   • User settings: added auto-accept chats option and alert preference for transferred chats.
   • Variables/prefill: support for passing custom back-office vars as lhc_var variables; encrypted prefilled variables always applied; variable only set when replaceable variable is non-empty; proactive invitations now update vars when custom vars are passed.
   • Theme/translations: widget theme translate method accepts user context; REST API modules (checkchatstatus, getinvitation, initchat, onlinesettings, settings) use user context for theme translations; multilanguage support for custom fields; fetchByVid includes caching option.
   • Canned messages: refactored retrieval with getCannedMessages method; added auto_send filter and ignore_subjects parameter.
   • Extensions: support for extensions to contribute custom side-menu items.
   • Configuration: folder/directory write-permission checks added to the configuration page with per-directory success/error indicators.
   • Bot: support for background workers in REST API bot action; improved bot detection filtering.
   • Message history: previous-message loading always uses all messages when the page limit is not reached; safe inclusion of all chat messages.

2. Summary

   • This release strengthens file handling security with MIME type validation, file path checks, and resolves multiple L-series security issues.
   • Operator UX improvements include widget expand mode, chat tab visibility toggles, and richer user settings (auto-accept, transfer alerts).
   • Search and statistics gain new message count filters; extensions gain custom side-menu support; theme translations now respect user context.

3. Contributors

• L01: SSRF via incoming webhook image download (CWE-918)
• L06: Mass assignment in REST API file PUT leading to arbitrary file read (CWE-915, CWE-22)
• L11: Stored XSS via Content-Type spoofing in file upload (CWE-79, CWE-345)
• L13: Unsafe deserialization in configuration loader (CWE-502)

Vulnerability Researcher: Pedro J. Núñez-Cacho Fuentes (https://blogs.tunelko.com)

execute doc/update_db/update_349.sql for update

Full Changelog: https://github.com/LiveHelperChat/livehelperchat/compare/4.81v...4.82v