fix: Only match prefixes in sensitive name regex #2643

luke-belton · 2025-11-26T11:03:20Z

It looks like this has been in the SDK forever, but the regex pattern we use was matching any substring for most of our sensitive looking fields (everything except cc). I think the intent would've been to only look at prefixes, as we were doing for cc.

Currently if, for example, exp appeared anywhere inside the name/id attribute of an element then we wouldn't capture it.

https://posthoghelp.zendesk.com/agent/tickets/42648

Release info Sub-libraries affected

Libraries affected

Checklist

Tests for new code
Accounted for the impact of any changes across different platforms
Accounted for backwards compatibility of any changes (no breaking changes!)
Took care not to unnecessarily increase the bundle size

If releasing new changes

Ran pnpm changeset to generate a changeset file
Added the "release" label to the PR to indicate we're publishing new versions for the affected packages

vercel · 2025-11-26T11:03:25Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
posthog-js	Ready	Preview	Nov 26, 2025 11:20am
posthog-nextjs-config	Ready	Preview	Nov 26, 2025 11:20am

github-actions · 2025-11-26T11:03:34Z

📝 No Changeset Found

This PR doesn't include a changeset. A changeset (and the release label) is required to release a new version.

How to add a changeset

Run this command and follow the prompts:

pnpm changeset

Remember: Never use major version bumps for posthog-js as it's autoloaded by clients.

greptile-apps

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

github-actions · 2025-11-26T11:07:29Z

Download bundle size visualization

pauldambra · 2025-11-26T11:08:44Z

packages/browser/src/autocapture-utils.ts

        // it's possible for el.name or el.id to be a DOM element if el is a form with a child input[name="name"]
        const sensitiveNameRegex =
-            /^cc|cardnum|ccnum|creditcard|csc|cvc|cvv|exp|pass|pwd|routing|seccode|securitycode|securitynum|socialsec|socsec|ssn/i
+            /^(cc|cardnum|ccnum|creditcard|csc|cvc|cvv|exp|pass|pwd|routing|seccode|securitycode|securitynum|socialsec|socsec|ssn)/i


i think i understand the change here but

can you ask Claude to write parameterised tests proving the change and behaviour?

made a change - tbh I'm not totally convinced by this set of sensitive patterns anyway - there's lots of things that aren't sensitive that might start with exp.

Also there's part of me that thinks we shouldn't have the check here anyway:

posthog-js/packages/browser/src/autocapture.ts

Lines 41 to 44 in f7d6b69

const shouldCaptureEl = shouldCaptureElement(elem)

if (!shouldCaptureEl) {

return {}

}

if a user has added the attributes to an element (even if it's a potentially sensitive element), then surely we should capture the attributes regardless?

it is way more preferable to miss something safe than to capture something sensitive!

what we should do is let someone override this so that if they disagree then they can set their own and we add a property to say "hey, this is your regex, it's not on us"

(that's how we do it in replay payload capture"

Having got into this a bit more, the way things are at the moment (as I understand it), we detect an element is sensitive with shouldCaptureElement, but that check doesn't apply in all places, so the elements would be captured regardless in elements_chain. I think it maybe needs some wider thought than this one small fix

posthog-js/src/autocapture.ts

Line 106 in 19fc73b

if (isSensitiveElement(elem) && ['name', 'id', 'class', 'aria-label'].indexOf(attr.name) === -1) return

I believe this is the check we do for capturing the elements_chain

I'm going to close this PR for now - working on something over on #2647 instead

github-actions · 2025-11-26T11:10:56Z

Size Change: +24 B (0%)

Total Size: 5.08 MB

Filename	Size	Change
`packages/browser/dist/all-external-dependencies.js`	227 kB	+2 B (0%)
`packages/browser/dist/array.full.es5.js`	301 kB	+2 B (0%)
`packages/browser/dist/array.full.js`	367 kB	+2 B (0%)
`packages/browser/dist/array.full.no-external.js`	381 kB	+2 B (0%)
`packages/browser/dist/array.js`	162 kB	+2 B (0%)
`packages/browser/dist/array.no-external.js`	174 kB	+2 B (0%)
`packages/browser/dist/dead-clicks-autocapture.js`	12.8 kB	+2 B (+0.02%)
`packages/browser/dist/main.js`	163 kB	+2 B (0%)
`packages/browser/dist/module.full.js`	367 kB	+2 B (0%)
`packages/browser/dist/module.full.no-external.js`	382 kB	+2 B (0%)
`packages/browser/dist/module.js`	163 kB	+2 B (0%)
`packages/browser/dist/module.no-external.js`	175 kB	+2 B (0%)

ℹ️ View Unchanged

Filename	Size
`packages/ai/dist/anthropic/index.cjs`	17.3 kB
`packages/ai/dist/anthropic/index.mjs`	17.2 kB
`packages/ai/dist/gemini/index.cjs`	21.2 kB
`packages/ai/dist/gemini/index.mjs`	21 kB
`packages/ai/dist/index.cjs`	138 kB
`packages/ai/dist/index.mjs`	137 kB
`packages/ai/dist/langchain/index.cjs`	40.8 kB
`packages/ai/dist/langchain/index.mjs`	40.3 kB
`packages/ai/dist/openai/index.cjs`	41.6 kB
`packages/ai/dist/openai/index.mjs`	41.3 kB
`packages/ai/dist/vercel/index.cjs`	29.6 kB
`packages/ai/dist/vercel/index.mjs`	29.6 kB
`packages/browser/dist/crisp-chat-integration.js`	2.11 kB
`packages/browser/dist/customizations.full.js`	19.2 kB
`packages/browser/dist/exception-autocapture.js`	11.7 kB
`packages/browser/dist/external-scripts-loader.js`	2.95 kB
`packages/browser/dist/intercom-integration.js`	2.16 kB
`packages/browser/dist/lazy-recorder.js`	150 kB
`packages/browser/dist/posthog-recorder.js`	246 kB
`packages/browser/dist/recorder-v2.js`	113 kB
`packages/browser/dist/recorder.js`	113 kB
`packages/browser/dist/surveys-preview.js`	72.5 kB
`packages/browser/dist/surveys.js`	84.3 kB
`packages/browser/dist/tracing-headers.js`	1.93 kB
`packages/browser/dist/web-vitals.js`	10.5 kB
`packages/browser/react/dist/esm/index.js`	18.8 kB
`packages/browser/react/dist/umd/index.js`	21.9 kB
`packages/core/dist/error-tracking/chunk-ids.js`	2.54 kB
`packages/core/dist/error-tracking/chunk-ids.mjs`	1.31 kB
`packages/core/dist/error-tracking/coercers/dom-exception-coercer.js`	2.3 kB
`packages/core/dist/error-tracking/coercers/dom-exception-coercer.mjs`	993 B
`packages/core/dist/error-tracking/coercers/error-coercer.js`	2.02 kB
`packages/core/dist/error-tracking/coercers/error-coercer.mjs`	794 B
`packages/core/dist/error-tracking/coercers/error-event-coercer.js`	1.76 kB
`packages/core/dist/error-tracking/coercers/error-event-coercer.mjs`	513 B
`packages/core/dist/error-tracking/coercers/event-coercer.js`	1.82 kB
`packages/core/dist/error-tracking/coercers/event-coercer.mjs`	548 B
`packages/core/dist/error-tracking/coercers/index.js`	6.79 kB
`packages/core/dist/error-tracking/coercers/index.mjs`	326 B
`packages/core/dist/error-tracking/coercers/object-coercer.js`	3.46 kB
`packages/core/dist/error-tracking/coercers/object-coercer.mjs`	2.07 kB
`packages/core/dist/error-tracking/coercers/primitive-coercer.js`	1.67 kB
`packages/core/dist/error-tracking/coercers/primitive-coercer.mjs`	419 B
`packages/core/dist/error-tracking/coercers/promise-rejection-event.js`	2.25 kB
`packages/core/dist/error-tracking/coercers/promise-rejection-event.mjs`	904 B
`packages/core/dist/error-tracking/coercers/string-coercer.js`	2.01 kB
`packages/core/dist/error-tracking/coercers/string-coercer.mjs`	820 B
`packages/core/dist/error-tracking/coercers/utils.js`	2.06 kB
`packages/core/dist/error-tracking/coercers/utils.mjs`	716 B
`packages/core/dist/error-tracking/error-properties-builder.js`	5.49 kB
`packages/core/dist/error-tracking/error-properties-builder.mjs`	4.15 kB
`packages/core/dist/error-tracking/index.js`	4.11 kB
`packages/core/dist/error-tracking/index.mjs`	152 B
`packages/core/dist/error-tracking/parsers/base.js`	1.83 kB
`packages/core/dist/error-tracking/parsers/base.mjs`	464 B
`packages/core/dist/error-tracking/parsers/chrome.js`	2.73 kB
`packages/core/dist/error-tracking/parsers/chrome.mjs`	1.32 kB
`packages/core/dist/error-tracking/parsers/gecko.js`	2.47 kB
`packages/core/dist/error-tracking/parsers/gecko.mjs`	1.13 kB
`packages/core/dist/error-tracking/parsers/index.js`	4.38 kB
`packages/core/dist/error-tracking/parsers/index.mjs`	1.94 kB
`packages/core/dist/error-tracking/parsers/node.js`	3.94 kB
`packages/core/dist/error-tracking/parsers/node.mjs`	2.68 kB
`packages/core/dist/error-tracking/parsers/opera.js`	2.26 kB
`packages/core/dist/error-tracking/parsers/opera.mjs`	746 B
`packages/core/dist/error-tracking/parsers/safari.js`	1.88 kB
`packages/core/dist/error-tracking/parsers/safari.mjs`	574 B
`packages/core/dist/error-tracking/parsers/winjs.js`	1.72 kB
`packages/core/dist/error-tracking/parsers/winjs.mjs`	426 B
`packages/core/dist/error-tracking/types.js`	1.33 kB
`packages/core/dist/error-tracking/types.mjs`	131 B
`packages/core/dist/error-tracking/utils.js`	1.8 kB
`packages/core/dist/error-tracking/utils.mjs`	604 B
`packages/core/dist/eventemitter.js`	1.78 kB
`packages/core/dist/eventemitter.mjs`	571 B
`packages/core/dist/featureFlagUtils.js`	6.5 kB
`packages/core/dist/featureFlagUtils.mjs`	4.28 kB
`packages/core/dist/gzip.js`	1.88 kB
`packages/core/dist/gzip.mjs`	577 B
`packages/core/dist/index.js`	5.7 kB
`packages/core/dist/index.mjs`	485 B
`packages/core/dist/posthog-core-stateless.js`	29.6 kB
`packages/core/dist/posthog-core-stateless.mjs`	27 kB
`packages/core/dist/posthog-core.js`	28 kB
`packages/core/dist/posthog-core.mjs`	24 kB
`packages/core/dist/process/index.js`	2.77 kB
`packages/core/dist/process/index.mjs`	114 B
`packages/core/dist/process/spawn-local.js`	1.82 kB
`packages/core/dist/process/spawn-local.mjs`	568 B
`packages/core/dist/process/utils.js`	3.12 kB
`packages/core/dist/process/utils.mjs`	1.15 kB
`packages/core/dist/testing/index.js`	2.93 kB
`packages/core/dist/testing/index.mjs`	79 B
`packages/core/dist/testing/PostHogCoreTestClient.js`	3.15 kB
`packages/core/dist/testing/PostHogCoreTestClient.mjs`	1.74 kB
`packages/core/dist/testing/test-utils.js`	2.77 kB
`packages/core/dist/testing/test-utils.mjs`	1.09 kB
`packages/core/dist/types.js`	8.2 kB
`packages/core/dist/types.mjs`	5.93 kB
`packages/core/dist/utils/bot-detection.js`	3.28 kB
`packages/core/dist/utils/bot-detection.mjs`	1.95 kB
`packages/core/dist/utils/bucketed-rate-limiter.js`	3 kB
`packages/core/dist/utils/bucketed-rate-limiter.mjs`	1.62 kB
`packages/core/dist/utils/index.js`	11 kB
`packages/core/dist/utils/index.mjs`	1.94 kB
`packages/core/dist/utils/logger.js`	2.5 kB
`packages/core/dist/utils/logger.mjs`	1.22 kB
`packages/core/dist/utils/number-utils.js`	2 kB
`packages/core/dist/utils/number-utils.mjs`	735 B
`packages/core/dist/utils/promise-queue.js`	2 kB
`packages/core/dist/utils/promise-queue.mjs`	768 B
`packages/core/dist/utils/string-utils.js`	1.91 kB
`packages/core/dist/utils/string-utils.mjs`	414 B
`packages/core/dist/utils/type-utils.js`	6.93 kB
`packages/core/dist/utils/type-utils.mjs`	3.03 kB
`packages/core/dist/vendor/uuidv7.js`	8.29 kB
`packages/core/dist/vendor/uuidv7.mjs`	6.72 kB
`packages/nextjs-config/dist/config.js`	4.54 kB
`packages/nextjs-config/dist/config.mjs`	3.06 kB
`packages/nextjs-config/dist/index.js`	2.24 kB
`packages/nextjs-config/dist/index.mjs`	30 B
`packages/nextjs-config/dist/utils.js`	3.83 kB
`packages/nextjs-config/dist/utils.mjs`	1.72 kB
`packages/node/dist/client.js`	23.2 kB
`packages/node/dist/client.mjs`	21.3 kB
`packages/node/dist/entrypoints/index.edge.js`	4.22 kB
`packages/node/dist/entrypoints/index.edge.mjs`	696 B
`packages/node/dist/entrypoints/index.node.js`	5.16 kB
`packages/node/dist/entrypoints/index.node.mjs`	945 B
`packages/node/dist/experimental.js`	603 B
`packages/node/dist/experimental.mjs`	0 B	🆕
`packages/node/dist/exports.js`	3.6 kB
`packages/node/dist/exports.mjs`	124 B
`packages/node/dist/extensions/error-tracking/autocapture.js`	2.65 kB
`packages/node/dist/extensions/error-tracking/autocapture.mjs`	1.23 kB
`packages/node/dist/extensions/error-tracking/index.js`	3.88 kB
`packages/node/dist/extensions/error-tracking/index.mjs`	2.61 kB
`packages/node/dist/extensions/error-tracking/modifiers/context-lines.node.js`	8.81 kB
`packages/node/dist/extensions/error-tracking/modifiers/context-lines.node.mjs`	7.15 kB
`packages/node/dist/extensions/error-tracking/modifiers/module.node.js`	2.78 kB
`packages/node/dist/extensions/error-tracking/modifiers/module.node.mjs`	1.45 kB
`packages/node/dist/extensions/express.js`	2.17 kB
`packages/node/dist/extensions/express.mjs`	548 B
`packages/node/dist/extensions/feature-flags/cache.js`	603 B
`packages/node/dist/extensions/feature-flags/cache.mjs`	0 B	🆕
`packages/node/dist/extensions/feature-flags/crypto.js`	1.57 kB
`packages/node/dist/extensions/feature-flags/crypto.mjs`	395 B
`packages/node/dist/extensions/feature-flags/feature-flags.js`	30.4 kB
`packages/node/dist/extensions/feature-flags/feature-flags.mjs`	28.4 kB
`packages/node/dist/extensions/sentry-integration.js`	4.66 kB
`packages/node/dist/extensions/sentry-integration.mjs`	3.17 kB
`packages/node/dist/storage-memory.js`	1.52 kB
`packages/node/dist/storage-memory.mjs`	297 B
`packages/node/dist/types.js`	603 B
`packages/node/dist/types.mjs`	0 B	🆕
`packages/node/dist/version.js`	1.21 kB
`packages/node/dist/version.mjs`	46 B
`packages/nuxt/dist/module.mjs`	4.19 kB
`packages/nuxt/dist/runtime/nitro-plugin.js`	1.08 kB
`packages/nuxt/dist/runtime/vue-plugin.js`	1.14 kB
`packages/react-native/dist/autocapture.js`	4.68 kB
`packages/react-native/dist/error-tracking/index.js`	6.77 kB
`packages/react-native/dist/error-tracking/utils.js`	2.58 kB
`packages/react-native/dist/frameworks/wix-navigation.js`	1.3 kB
`packages/react-native/dist/hooks/useFeatureFlag.js`	1.49 kB
`packages/react-native/dist/hooks/useFeatureFlags.js`	821 B
`packages/react-native/dist/hooks/useNavigationTracker.js`	2.46 kB
`packages/react-native/dist/hooks/usePostHog.js`	467 B
`packages/react-native/dist/index.js`	3.12 kB
`packages/react-native/dist/native-deps.js`	13.9 kB
`packages/react-native/dist/optional/OptionalAsyncStorage.js`	299 B
`packages/react-native/dist/optional/OptionalExpoApplication.js`	377 B
`packages/react-native/dist/optional/OptionalExpoDevice.js`	347 B
`packages/react-native/dist/optional/OptionalExpoFileSystem.js`	386 B
`packages/react-native/dist/optional/OptionalExpoFileSystemLegacy.js`	423 B
`packages/react-native/dist/optional/OptionalExpoLocalization.js`	383 B
`packages/react-native/dist/optional/OptionalReactNativeDeviceInfo.js`	415 B
`packages/react-native/dist/optional/OptionalReactNativeLocalize.js`	303 B
`packages/react-native/dist/optional/OptionalReactNativeNavigation.js`	415 B
`packages/react-native/dist/optional/OptionalReactNativeNavigationWix.js`	443 B
`packages/react-native/dist/optional/OptionalReactNativeSafeArea.js`	644 B
`packages/react-native/dist/optional/OptionalSessionReplay.js`	455 B
`packages/react-native/dist/posthog-rn.js`	37 kB
`packages/react-native/dist/PostHogContext.js`	329 B
`packages/react-native/dist/PostHogProvider.js`	4.77 kB
`packages/react-native/dist/storage.js`	3.39 kB
`packages/react-native/dist/surveys/components/BottomSection.js`	1.34 kB
`packages/react-native/dist/surveys/components/Cancel.js`	909 B
`packages/react-native/dist/surveys/components/ConfirmationMessage.js`	1.58 kB
`packages/react-native/dist/surveys/components/QuestionHeader.js`	1.11 kB
`packages/react-native/dist/surveys/components/QuestionTypes.js`	10.1 kB
`packages/react-native/dist/surveys/components/SurveyModal.js`	3.86 kB
`packages/react-native/dist/surveys/components/Surveys.js`	7.18 kB
`packages/react-native/dist/surveys/getActiveMatchingSurveys.js`	3.69 kB
`packages/react-native/dist/surveys/icons.js`	7.76 kB
`packages/react-native/dist/surveys/index.js`	600 B
`packages/react-native/dist/surveys/PostHogSurveyProvider.js`	5.66 kB
`packages/react-native/dist/surveys/surveys-utils.js`	9.31 kB
`packages/react-native/dist/surveys/useActivatedSurveys.js`	3.38 kB
`packages/react-native/dist/surveys/useSurveyStorage.js`	2.16 kB
`packages/react-native/dist/tooling/expoconfig.js`	2.63 kB
`packages/react-native/dist/tooling/metroconfig.js`	2.2 kB
`packages/react-native/dist/tooling/posthogMetroSerializer.js`	11.1 kB
`packages/react-native/dist/tooling/utils.js`	4.05 kB
`packages/react-native/dist/tooling/vendor/expo/expoconfig.js`	70 B
`packages/react-native/dist/tooling/vendor/metro/countLines.js`	237 B
`packages/react-native/dist/tooling/vendor/metro/utils.js`	3.35 kB
`packages/react-native/dist/types.js`	70 B
`packages/react-native/dist/utils.js`	539 B
`packages/react-native/dist/version.js`	130 B
`packages/react/dist/esm/index.js`	18.8 kB
`packages/react/dist/umd/index.js`	21.9 kB
`packages/rollup-plugin/dist/index.js`	3.61 kB
`packages/web/dist/index.cjs`	13.8 kB
`packages/web/dist/index.mjs`	13.7 kB
`packages/webpack-plugin/dist/config.js`	2.65 kB
`packages/webpack-plugin/dist/config.mjs`	1.42 kB
`packages/webpack-plugin/dist/index.js`	5.83 kB
`packages/webpack-plugin/dist/index.mjs`	2.73 kB
`tooling/changelog/dist/index.js`	3.31 kB
`tooling/rollup-utils/dist/index.js`	1.17 kB

_{compressed-size-action}

luke-belton · 2025-11-26T11:16:43Z

packages/browser/src/__tests__/autocapture-utils.test.ts

+            expect(shouldCaptureElement(input)).toBe(false)
+        })

+        it.each(['document-expiry', 'success_message', 'account-settings', 'compass-icon'])(


document-expiry and compass-icon would have failed before because of exp and pass appearing anywhere in the string.

success_message and account-setting would have passed because cc wasn't at the start.

only match prefixes

9ed3e1b

greptile-apps bot reviewed Nov 26, 2025

View reviewed changes

vercel bot deployed to Preview – posthog-nextjs-config November 26, 2025 11:06 View deployment

vercel bot deployed to Preview – posthog-js November 26, 2025 11:06 View deployment

pauldambra reviewed Nov 26, 2025

View reviewed changes

update tests

2c9e9ed

luke-belton commented Nov 26, 2025

View reviewed changes

vercel bot deployed to Preview – posthog-nextjs-config November 26, 2025 11:20 View deployment

vercel bot deployed to Preview – posthog-js November 26, 2025 11:20 View deployment

luke-belton mentioned this pull request Nov 26, 2025

chore: refactor sensitive data capture #2647

Draft

15 tasks

luke-belton closed this Dec 1, 2025

	const shouldCaptureEl = shouldCaptureElement(elem)
	if (!shouldCaptureEl) {
	return {}
	}

fix: Only match prefixes in sensitive name regex #2643

fix: Only match prefixes in sensitive name regex #2643

Uh oh!

Conversation

luke-belton commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release info Sub-libraries affected

Libraries affected

Checklist

If releasing new changes

Uh oh!

vercel bot commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📝 No Changeset Found

How to add a changeset

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pauldambra Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

luke-belton Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

pauldambra Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

luke-belton Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

luke-belton Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

luke-belton Dec 1, 2025

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

luke-belton Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

luke-belton commented Nov 26, 2025 •

edited

Loading

vercel bot commented Nov 26, 2025 •

edited

Loading

github-actions bot commented Nov 26, 2025 •

edited

Loading

github-actions bot commented Nov 26, 2025 •

edited

Loading

github-actions bot commented Nov 26, 2025 •

edited

Loading