Skip to content

aria-labels should probably be scrubbed #16176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
jgarplind opened this issue Apr 30, 2025 · 5 comments · Fixed by #16192
Closed
3 tasks done

aria-labels should probably be scrubbed #16176

jgarplind opened this issue Apr 30, 2025 · 5 comments · Fixed by #16192
Assignees
@chargome
Labels
Browser Improvement

Comments

@jgarplind
Copy link

Is there an existing issue for this?

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/react

SDK Version

9.10.1

Framework Version

18.3.1

Link to Sentry event

No response

Reproduction Example/SDK Setup

No response

Steps to Reproduce

User dead-clicked a link containing a non-text element, annotated by an aria-label.

Expected Result

aria-label contains text content the same way any other text node does, so it seems logical to me that it should be scrubbed the same way.

Actual Result

PII risks to be exposed, e.g. in Breadcrumbs view in a replay:

Image
@jgarplind jgarplind added the Bug label Apr 30, 2025
@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Apr 30, 2025
@github-actions github-actions bot added the React label Apr 30, 2025
@chargome chargome added Browser and removed React labels Apr 30, 2025
@chargome
Copy link
Member

Hey @jgarplind thanks for pointing that out, sounds reasonable to me – we'll look into this!

cc @s1gr1d PII issue

@mydea
Copy link
Member

mydea commented May 2, 2025

This should be relatively simple by adding this to the default list of maskAttributes = ['title', 'placeholder'],, makes sense to treat this the same way!

@chargome chargome self-assigned this May 5, 2025
@chargome chargome mentioned this issue May 5, 2025
Merged
@mydea mydea added the Improvement label May 7, 2025 — with Linear
@mydea mydea removed the Bug label May 7, 2025
@jgarplind
Copy link
Author

Happy to see this fixed so swiftly! Is there a good way for me to track when this is released, and in which version? If you for example have the practice of writing a comment in this issue once the fix has been released, that would be very useful.

@chargome
Copy link
Member

chargome commented May 16, 2025
edited
Loading

@jgarplind You'll be notified once this is released (which is likely today) 👍

@github-actions GitHub Actions
Copy link
Contributor

A PR closing this issue has just been released 🚀

This issue was referenced by PR #16192, which was included in the 9.20.0 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chargome chargome

Labels
Browser Improvement
Projects
GitHub Issues with 👀 3
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(replay): Extend default list for masking with aria-label getsentry/sentry-javascript
3 participants
@mydea @jgarplind @chargome