Lms24
commented
1 year ago Putting this here to not loose the Slack conversation:
We could probably get away with a similar approach as shown here: https://github.com/highlight/rrweb/commit/a50aed43f4e37e96b62fa90342852abea6edc72e#diff-45cc3019725e113400ca8fb1da26625aa1dc4cf507713f452af569d1cf22a257R578-R586
Currently, users can write custom
unmaskselectors to unmask passwords, meaning their users' passwords can be visible in clear text if the website for instance provides a "View Password" funcitonality.IMO, under no circumstances whatsoever, never! (yup, feeling strongly about this) should we allow this to happen.
After chatting a little bit about this, the probably best way to block this type of unmasking, is to change the unmasking behaviour in rrweb. We should investigate how to handle this best.