From c7374e72db3c3674e3305ff0bb277e0467f995e4 Mon Sep 17 00:00:00 2001
From: JunghwanNA <70629228+shaun0927@users.noreply.github.com>
Date: Sat, 18 Apr 2026 00:44:34 +0900
Subject: [PATCH] Stop leaking typed values through automatic Browser2 page
 inspection

The page-inspection helpers were using live text-entry values as fallback labels and verification payloads. This patch keeps structural metadata while redacting text-entry controls from automatic labels and verification values so Browser2 snapshots no longer surface typed secrets by default.

Constraint: Browser2 still needs stable selectors and non-secret metadata for automation flows
Rejected: Strip all verification metadata from form controls | would make click verification significantly less useful
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Do not reintroduce control  into automatic labels or verification output without an explicit user-initiated inspection mode
Tested: pnpm install; pnpm run deps; apps/main npm run build; browser fixture redaction validation via OpenChrome
Not-tested: Full end-to-end Electron Browser2 interaction loop
---
 apps/x/apps/main/src/browser/page-scripts.ts | 25 ++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/apps/x/apps/main/src/browser/page-scripts.ts b/apps/x/apps/main/src/browser/page-scripts.ts
index fc079327..faaf3604 100644
--- a/apps/x/apps/main/src/browser/page-scripts.ts
+++ b/apps/x/apps/main/src/browser/page-scripts.ts
@@ -100,6 +100,19 @@ const getElementType = (element) => {
   return null;
 };
 
+const isTextEntryElement = (element) => (
+  element instanceof HTMLInputElement
+  || element instanceof HTMLTextAreaElement
+  || (element instanceof HTMLElement && element.isContentEditable)
+);
+
+const shouldRedactVerificationValue = (element) => (
+  element instanceof HTMLInputElement
+    ? !['checkbox', 'radio', 'range', 'button', 'submit', 'reset'].includes((element.type || '').toLowerCase())
+    : element instanceof HTMLTextAreaElement
+      || (element instanceof HTMLElement && element.isContentEditable)
+);
+
 const getElementLabel = (element) => {
   const ariaLabel = truncateText(element.getAttribute('aria-label') ?? '', 120);
   if (ariaLabel) return ariaLabel;
@@ -121,10 +134,12 @@ const getElementLabel = (element) => {
   const placeholder = truncateText(element.getAttribute('placeholder') ?? '', 120);
   if (placeholder) return placeholder;
 
+  if (isTextEntryElement(element)) {
+    return null;
+  }
+
   const text = truncateText(
-    element instanceof HTMLInputElement || element instanceof HTMLTextAreaElement
-      ? element.value
-      : element.textContent ?? '',
+    element.textContent ?? '',
     120,
   );
   return text || null;
@@ -187,7 +202,9 @@ const getVerificationTargetState = (element) => {
         ? element.checked
         : null,
     value:
-      element instanceof HTMLInputElement || element instanceof HTMLTextAreaElement
+      shouldRedactVerificationValue(element)
+        ? null
+        : element instanceof HTMLInputElement || element instanceof HTMLTextAreaElement
         ? truncateText(element.value ?? '', 200)
         : element instanceof HTMLSelectElement
           ? truncateText(element.value ?? '', 200)