Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix: prompt-injection-redact would re-hide a revealed container#161

Merged
twschiller merged 1 commit into
mainfrom
fix/prompt-injection-reveal-skip
Jun 5, 2026
Merged

Fix: prompt-injection-redact would re-hide a revealed container#161
twschiller merged 1 commit into
mainfrom
fix/prompt-injection-reveal-skip

Conversation

@twschiller

Copy link
Copy Markdown
Contributor

Summary

Same structural bug as #160 (disguised-ad-flag): the hidden element is an ancestor of the matched text node (the nearest p/li/blockquote/…/section), so the reveal stamp lands on the container — not on anything walkTextNodes returns. The candidate-skip set only checked isInsidePlaceholder and isConnected, so a subsequent apply walked back up from the still-present injection text and re-wrapped the same container into a fresh placeholder.

Not yet user-visible because prompt-injection-redact has no MutationObserver, so reveal never triggers an immediate re-scan. Two paths still hit it today:

Fix is the one-liner from #160closest([data-abs-revealed="prompt-injection-redact"]) against the container before hiding.

Audited every other reveal-capable rule while I was in here; this was the only twin. Other rules either pass the candidate directly to replaceWithBlockPlaceholder (so REVEALED_ATTR lands on what they check), dedup via a per-rule WeakSet of processed elements (countdown-timer-redact, irrelevant-sections-redact), or use inline text-node placeholders whose reveal mutation the watcher already filters out.

Test plan

  • bun run test (1265 passed, 65 suites)
  • bunx tsc --noEmit clean
  • bunx eslint clean on touched files
  • New regression tests in prompt-injection-redact.test.ts:
    • "does not re-hide a container the user revealed" — the actual bug.
    • "still hides a sibling container after an unrelated reveal" — guards against the skip check being too broad (sibling paragraphs with their own injection text must still get hidden).

🤖 Generated with Claude Code

Same structural bug as #160 (disguised-ad-flag): the hidden element
is an ancestor of the matched text node, so the reveal stamp lands on
the container — not on anything `walkTextNodes` returns. The skip set
only checked `isInsidePlaceholder` and `isConnected`, so a subsequent
`apply` (rule disable→enable, or any future MutationObserver-driven
re-scan) walked back up from the still-present injection text and
re-wrapped the same container.

Not yet user-visible because the rule has no watcher, but the fix is
the same one-liner used in #160 — closer to apply rather than walk
through three more bug reports if a watcher is wired in later.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@vercel

vercel Bot commented Jun 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agent-browser-shield-demo-site Ready Ready Preview, Comment Jun 5, 2026 12:13pm

Request Review

@twschiller twschiller merged commit 4a10459 into main Jun 5, 2026
7 checks passed
@twschiller twschiller deleted the fix/prompt-injection-reveal-skip branch June 5, 2026 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant