4.86v Performance widgets

1. Notable changes since 4.85v
   - Performance statistics dashboard widgets: added new `dep_performance` and `op_performance` dashboard widgets that display real-time aggregated statistics for departments and operators respectively; widgets support configurable columns (chats received, chats answered, wait time, first/average response time, thumbs up/down, online/offline time) with configurable position and update intervals; new settings UI under Statistics for both department and operator performance configuration.
   - Performance stats cron aggregator: new cron job (`cron/stats/performance`) aggregates department and operator performance data into the new `lh_abstract_performance` table; supports forced regeneration via `-p force`; configurable update interval and day range; cron respects sql_mode and local timezone settings.
   - New `Performance` and `PerformanceWidgets` models: `Performance` model stores/retrieves serialized performance snapshots; `PerformanceWidgets` provides formatted data for dashboard sync, including per-department and per-operator stats with access-control filtering.
   - Security and authentication hardening: improved password verification logic in REST API validator; added constant-time response delay in forgot-password flow to mitigate timing attacks; updated hashing methods for login and password update flows; implemented expired hash cleanup (deleteExpiredHashes) called from setRemindHash, remindpassword, and forgotpassword modules; removed LDAP authentication components; updated autologin with nonce support and improved hash validation; masked error messages for users without access to unhidden emails in send and reply APIs.
   - Bot and event system: enhanced chat variable update handling and event dispatching; ignored default trigger message when a trigger is started manually; added support for invisible arguments in bot triggers; added event dispatch for transfer-to-human action; added event argument for custom is-online status checks.
   - Editor and operator UI: added switch-editor option in active chat tab and a new permission for operators to toggle between new and old editors; added icons and colors to the transfer window; increased subject modal window width; fixed form loading scroll event; avoided null being displayed before a chat starts.
   - Export and reports: enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non-strict sql_mode for certain reports.
   - Bug fixes: fixed matching rule search; minor fixes including string conversion and typo corrections.

2. Summary
   - This release introduces a new real-time performance dashboard with configurable department and operator widgets backed by a cron aggregator and a dedicated `lh_abstract_performance` table.
   - Security is hardened across authentication flows: stronger hashing, timing-safe responses, expired hash cleanup, autologin nonce support, and LDAP removal.
   - Operator productivity is improved with a switchable editor, richer transfer UI, and expanded bot/event capabilities. Export and report compatibility are also addressed.

For update just follow standard update procedure. For manual update it's update_352.sql

**Full Changelog**: ;https://github.com/LiveHelperChat/livehelperchat/compare/4.85v...4.86v

4.85v Security updates

1. Notable changes since 4.84v
   - Security and access control: tightened chat operation permissions by requiring proper read/write access checks; additional permission hardening was applied across related flows.
   - CSP and policy handling: completed CSP parser integration and follow-up fixes, including policy exposure hardening and parser/library alignment.
   - Voice messaging and widget UX: improved voice-message flow and UX, updated voice app behavior, kept cursor focus on desktop, and added a widget-theme option to disable voice messages.
   - Translation workflow: improved automatic translation reliability, added DeepL model/formality options, enhanced metadata/error handling, and refined start/stop and old-message translation flows.
   - Analytics and timing metrics: improved chat duration/response-time calculations, participant timing accounting, and operator duration output in reports.
   - REST API and diagnostics: added optional custom REST API messages, improved exception visibility/traceback details, and enabled direct log viewing from back office.
   - Invitations and online-hours logic: enhanced invitation alias/profile handling and improved overlapping online-hours period calculations.
   - UI/translations/dependencies: updated translations, refreshed JS dependencies (including html-react-parser migration), and applied multiple package/security updates.
   - Misc fixes: delivered issue-specific fixes and regressions cleanup (including #2378, #2379, #2382), plus release workflow updates.

2. Summary
   - This release focuses on security hardening, CSP maturity, and operator productivity, while also improving voice messaging UX and translation automation quality.
   - It also improves chat/mail timing metrics and diagnostics, with additional stability updates across UI, dependencies, and release automation.

For update just follow standard update procedure. No new DB migration script required for this release.

**Full Changelog**: ;https://github.com/LiveHelperChat/livehelperchat/compare/4.84v...4.85v

4.83v Subject archive

1. Notable changes since 4.82v

   • Chat list sorting: added sort options for highest and lowest message count in chat lists; a validation warning is shown when sorting by message count without a date range of 31 days or less.
   • Webhooks: debug mode support added to processEvent in both chat and mail conversation continuous webhook classes; new validation conditions notempty and in_list; improved error handling and logging; webhook form updated with chat ID testing and improved button styling; test pattern module enhanced with webhook ID validation.
   • Dropdown: "Select all" and "Unselect all" buttons added to multi-select dropdowns across the back-office; dropdown plugin and render helper updated accordingly.
   • Subject filter: subject filter conditions added to the chat list search panel and mail conversation search panel; department user dep logic enhanced.
   • Widget: bumped to version 272; improved screenAttributesUpdate height/width calculations for better responsiveness across screen sizes; wrapper now passes its version to the API; fixed proper termination in wrapper source.
   • Canned messages: fixed auto-uppercase breaking text input in the new rich-text editor (LHCEditor).
   • REST API: fixed authentication validator regression.
   • Chat core: added support for dashes in chat handling logic.
   • Templates: minor fixes in chat lists template and survey fill-widget template.

2. Summary

3. This release improves chat list usability with message count sorting, strengthens webhook debugging with debug mode and new validation conditions, and enhances multi-select dropdowns with select-all/unselect-all controls.
4. Widget responsiveness and wrapper version reporting are improved; canned message auto-uppercase and REST API auth issues are resolved.

For update just follow standard update procedure. For manual update it's update_350.sql

https://github.com/LiveHelperChat/livehelperchat/compare/4.82v...4.83v

4.82v Security updates, expanded widget mode

1. Notable changes since 4.81v
   • Security/file handling: enhanced MIME type validation across file download endpoints (downloadfile.php, inlinedownload.php, REST API file.php); MIME type constants added in mail conversation parser; all operator/visitor uploads validated against var folder path; resolved security issues L01, L02, L04, L05, L06, L11, L13.
   • Widget: added expand mode with configurable width/height ratios and new shrink_text/expand_text UI fields; widget communication updated to include user session prefill variables in sent messages; fixed reloadWidget function; updated wrapper version.
   • Chat search/statistics: added message count filters (operators, visitors, bots) to search panel and statistics tabs; added total messages count input field; added search by message ID range.
   • Chat tab visibility: operators can toggle chat tab visibility (show/hide chat tabs) via quick actions in user settings.
   • User settings: added auto-accept chats option and alert preference for transferred chats.
   • Variables/prefill: support for passing custom back-office vars as lhc_var variables; encrypted prefilled variables always applied; variable only set when replaceable variable is non-empty; proactive invitations now update vars when custom vars are passed.
   • Theme/translations: widget theme translate method accepts user context; REST API modules (checkchatstatus, getinvitation, initchat, onlinesettings, settings) use user context for theme translations; multilanguage support for custom fields; fetchByVid includes caching option.
   • Canned messages: refactored retrieval with getCannedMessages method; added auto_send filter and ignore_subjects parameter.
   • Extensions: support for extensions to contribute custom side-menu items.
   • Configuration: folder/directory write-permission checks added to the configuration page with per-directory success/error indicators.
   • Bot: support for background workers in REST API bot action; improved bot detection filtering.
   • Message history: previous-message loading always uses all messages when the page limit is not reached; safe inclusion of all chat messages.
2. Summary
   • This release strengthens file handling security with MIME type validation, file path checks, and resolves multiple L-series security issues.
   • Operator UX improvements include widget expand mode, chat tab visibility toggles, and richer user settings (auto-accept, transfer alerts).
   • Search and statistics gain new message count filters; extensions gain custom side-menu support; theme translations now respect user context.
3. Contributors
   • L01: SSRF via incoming webhook image download (CWE-918)
   • L06: Mass assignment in REST API file PUT leading to arbitrary file read (CWE-915, CWE-22)
   • L11: Stored XSS via Content-Type spoofing in file upload (CWE-79, CWE-345)
   • L13: Unsafe deserialization in configuration loader (CWE-502)

Vulnerability Researcher: Pedro J. Núñez-Cacho Fuentes (https://blogs.tunelko.com)

For update just follow standard update procedure. For manual update it's update_349.sql

**Full Changelog**: ;https://github.com/LiveHelperChat/livehelperchat/compare/4.81v...4.82v

4.81v One-Time proactive invitations

1. Notable changes since 4.80v
   - One-time proactive chat invitations: new DB table `lh_abstract_proactive_chat_invitation_one_time` tracks which visitors have already seen an invitation, preventing repeat displays.
   - Proactive invitations: cleanup logic added for stale one-time invitation records; widget now records when a one-time invitation is shown; edit module enhanced with custom actions for proactive invitations.
   - Captcha: added provider-based captcha support — Google reCAPTCHA v3 and Cloudflare Turnstile are now both supported with a shared validation layer (`CaptchaValidator`, `erLhcoreClassUserValidator`).
   - Captcha admin UI: provider selector with provider-specific field sections; shared key labels across providers; CSRF redirect fix.
   - Translation system: UX improvements for automatic translations; operator and visitor message translation differentiated; messages with existing translations are now skipped; translation configuration UI updated.
   - Bot/Widget: custom HTML buttons and bot buttons are now disabled when a form is in progress status; alert messages added; placeholder for name field in widget start form.
   - Editor: fixed infinite loop issue in the new rich-text editor (LHCEditor).
   - Dashboard: removed legacy old dashboard; cleaned up related options and switch logic.
   - Security/permissions: added permission access checks in block user, hold action, transfer chat, and chat widget closed flows.
   - PHP 8.5 compatibility: resolved deprecation and compatibility issues.
   - Translations: updated translation catalogs including new captcha-related and translation-workflow keys.

2. Summary
   - This release introduces one-time proactive chat invitations, a flexible multi-provider captcha system, and several translation workflow improvements.
   - Includes editor stability fixes, dashboard cleanup, PHP 8.5 compatibility, and stricter permission checks across chat action endpoints.

For update just follow standard update procedure. For manual update it's update_348.sql

**Full Changelog**: https://github.com/LiveHelperChat/livehelperchat/compare/4.80v...4.81v