Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Ensure password inputs are always masked #78

Merged
merged 2 commits into from
Mar 8, 2023
Merged

feat: Ensure password inputs are always masked #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9b9520c
feat: Do not allow unmasking password inputs
mydea Mar 7, 2023
78eb9e2
feat: Always mask password inputs
mydea Mar 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions packages/rrweb-snapshot/src/snapshot.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1201,12 +1201,9 @@ function snapshot(
week: true,
textarea: true,
select: true,
password: true,
}
: maskAllInputs === false
? {
password: true,
}
? {}
: maskAllInputs;
const slimDOMOptions: SlimDOMOptions =
slimDOM === true || slimDOM === 'all'
Expand Down
2 changes: 1 addition & 1 deletion packages/rrweb-snapshot/src/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ export type MaskInputOptions = Partial<{
// unify textarea and select element with text input
textarea: boolean;
select: boolean;
password: boolean;
// password is _always_ masked, can't opt out of this
radio: boolean;
checkbox: boolean;
}>;
Expand Down
10 changes: 9 additions & 1 deletion packages/rrweb-snapshot/src/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,13 @@ function isInputTypeMasked({
tagName = 'select';
}

// We only care about the type if it is a string
const actualType = typeof type === 'string' ? type.toLowerCase() : undefined;

return (
maskInputOptions[tagName.toLowerCase() as keyof MaskInputOptions] ||
maskInputOptions[type as keyof MaskInputOptions] ||
(actualType && maskInputOptions[actualType as keyof MaskInputOptions]) ||
actualType === 'password' ||
// Default to "text" option for inputs without a "type" attribute defined
(tagName === 'input' && !type && maskInputOptions['text'])
);
Expand Down Expand Up @@ -78,6 +82,10 @@ export function maskInputValue({
return text;
}

if (input.hasAttribute('rr_is_password')) {
type = 'password';
}

if (
isInputTypeMasked({ maskInputOptions, tagName, type }) ||
(maskInputSelector && input.matches(maskInputSelector))
Expand Down
1 change: 0 additions & 1 deletion packages/rrweb-snapshot/typings/types.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@ export type MaskInputOptions = Partial<{
week: boolean;
textarea: boolean;
select: boolean;
password: boolean;
radio: boolean;
checkbox: boolean;
}>;
Expand Down
3 changes: 1 addition & 2 deletions packages/rrweb/src/record/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,12 @@ function record<T = eventWithTime>(
week: true,
textarea: true,
select: true,
password: true,
radio: true,
checkbox: true,
}
: _maskInputOptions !== undefined
? _maskInputOptions
: { password: true };
: {};

const slimDOMOptions: SlimDOMOptions =
_slimDOMOptions === true || _slimDOMOptions === 'all'
Expand Down
17 changes: 14 additions & 3 deletions packages/rrweb/src/record/mutation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -476,15 +476,15 @@ export default class MutationBuffer {
}
case 'attributes': {
const target = m.target as HTMLElement;
let value = (m.target as HTMLElement).getAttribute(m.attributeName!);
let value = target.getAttribute(m.attributeName!);
if (m.attributeName === 'value') {
value = maskInputValue({
input: target,
maskInputSelector: this.maskInputSelector,
unmaskInputSelector: this.unmaskInputSelector,
maskInputOptions: this.maskInputOptions,
tagName: (m.target as HTMLElement).tagName,
type: (m.target as HTMLElement).getAttribute('type'),
tagName: target.tagName,
type: target.getAttribute('type'),
value,
maskInputFn: this.maskInputFn,
});
Expand All @@ -502,6 +502,17 @@ export default class MutationBuffer {
};
this.attributes.push(item);
}

// Keep this property on inputs that used to be password inputs
// This is used to ensure we do not unmask value when using e.g. a "Show password" type button
if (
m.attributeName === 'type' &&
(m.target as HTMLElement).tagName === 'INPUT' &&
(m.oldValue || '').toLowerCase() === 'password'
) {
(m.target as HTMLElement).setAttribute('rr_is_password', 'true');
}

if (m.attributeName === 'style') {
const old = this.doc.createElement('span');
if (m.oldValue) {
Expand Down
7 changes: 6 additions & 1 deletion packages/rrweb/src/record/observer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,7 @@ function initInputObserver({
) {
return;
}
const type: string | undefined = (target as HTMLInputElement).type;
let type: string | undefined = (target as HTMLInputElement).type;
if (
(target as HTMLElement).classList.contains(ignoreClass) ||
(ignoreSelector && (target as HTMLElement).matches(ignoreSelector))
Expand All @@ -375,6 +375,11 @@ function initInputObserver({

let text = (target as HTMLInputElement).value;
let isChecked = false;

if ((target as HTMLElement).hasAttribute('rr_is_password')) {
type = 'password';
}

if (type === 'radio' || type === 'checkbox') {
isChecked = (target as HTMLInputElement).checked;
} else if (
Expand Down
Loading