From 3efb2d72f34afd8fde5d2c2b2a1e013b80a7d313 Mon Sep 17 00:00:00 2001
From: Paul D'Ambra <paul@posthog.com>
Date: Fri, 15 Sep 2023 15:30:52 +0100
Subject: [PATCH 1/2] feat: add an attribute denylist for autocapture

---
 src/__tests__/autocapture.js | 13 +++++++++++++
 src/autocapture.ts           |  4 ++++
 src/types.ts                 |  6 ++++++
 3 files changed, 23 insertions(+)

diff --git a/src/__tests__/autocapture.js b/src/__tests__/autocapture.js
index 2dff85193..1ffcd18c5 100644
--- a/src/__tests__/autocapture.js
+++ b/src/__tests__/autocapture.js
@@ -112,6 +112,19 @@ describe('Autocapture system', () => {
             expect(props['_ngcontent-dpm-c448']).toBeUndefined()
             expect(props['_nghost-dpm-c448']).toBeUndefined()
         })
+
+        it('should filter element attributes based on the denylist', () => {
+            autocapture.config = {
+                element_attribute_denylist: ['data-attr', 'data-attr-2'],
+            }
+            div.setAttribute('data-attr', 'value')
+            div.setAttribute('data-attr-2', 'value')
+            div.setAttribute('data-attr-3', 'value')
+            const props = autocapture._getPropertiesFromElement(div)
+            expect(props['attr__data-attr']).toBeUndefined()
+            expect(props['attr__data-attr-2']).toBeUndefined()
+            expect(props['attr__data-attr-3']).toBe('value')
+        })
     })
 
     describe('_getAugmentPropertiesFromElement', () => {
diff --git a/src/autocapture.ts b/src/autocapture.ts
index 85cc13f7f..e40425898 100644
--- a/src/autocapture.ts
+++ b/src/autocapture.ts
@@ -101,10 +101,14 @@ const autocapture = {
                 return c !== ''
             })
 
+        // capture the deny list here because this not-a-class class makes it tricky to use this.config in the function below
+        const elementAttributeDenylist = this.config?.element_attribute_denylist
         _each(elem.attributes, function (attr: Attr) {
             // Only capture attributes we know are safe
             if (isSensitiveElement(elem) && ['name', 'id', 'class'].indexOf(attr.name) === -1) return
 
+            if (elementAttributeDenylist?.includes(attr.name)) return
+
             if (!maskInputs && shouldCaptureValue(attr.value) && !isAngularStyleAttr(attr.name)) {
                 props['attr__' + attr.name] = limitText(1024, attr.value)
             }
diff --git a/src/types.ts b/src/types.ts
index 9d1108c3a..cb242325e 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -44,6 +44,12 @@ export interface AutocaptureConfig {
      * e.g. ['[ph-capture]']
      */
     css_selector_allowlist?: string[]
+
+    /**
+     * Exclude certain element attributes from autocapture
+     * E.g. ['aria-label'] or [data-attr-pii]
+     */
+    element_attribute_denylist?: string[]
 }
 
 export type UUIDVersion = 'og' | 'v7'

From 7c2b5331b028bb912d3a2255df836ba2b13435b2 Mon Sep 17 00:00:00 2001
From: Paul D'Ambra <paul@posthog.com>
Date: Fri, 15 Sep 2023 16:04:33 +0100
Subject: [PATCH 2/2] ignore not deny

---
 src/__tests__/autocapture.js | 4 ++--
 src/autocapture.ts           | 4 ++--
 src/types.ts                 | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/__tests__/autocapture.js b/src/__tests__/autocapture.js
index 1ffcd18c5..24c52b8fa 100644
--- a/src/__tests__/autocapture.js
+++ b/src/__tests__/autocapture.js
@@ -113,9 +113,9 @@ describe('Autocapture system', () => {
             expect(props['_nghost-dpm-c448']).toBeUndefined()
         })
 
-        it('should filter element attributes based on the denylist', () => {
+        it('should filter element attributes based on the ignorelist', () => {
             autocapture.config = {
-                element_attribute_denylist: ['data-attr', 'data-attr-2'],
+                element_attribute_ignorelist: ['data-attr', 'data-attr-2'],
             }
             div.setAttribute('data-attr', 'value')
             div.setAttribute('data-attr-2', 'value')
diff --git a/src/autocapture.ts b/src/autocapture.ts
index e40425898..0e3749ed9 100644
--- a/src/autocapture.ts
+++ b/src/autocapture.ts
@@ -102,12 +102,12 @@ const autocapture = {
             })
 
         // capture the deny list here because this not-a-class class makes it tricky to use this.config in the function below
-        const elementAttributeDenylist = this.config?.element_attribute_denylist
+        const elementAttributeIgnorelist = this.config?.element_attribute_ignorelist
         _each(elem.attributes, function (attr: Attr) {
             // Only capture attributes we know are safe
             if (isSensitiveElement(elem) && ['name', 'id', 'class'].indexOf(attr.name) === -1) return
 
-            if (elementAttributeDenylist?.includes(attr.name)) return
+            if (elementAttributeIgnorelist?.includes(attr.name)) return
 
             if (!maskInputs && shouldCaptureValue(attr.value) && !isAngularStyleAttr(attr.name)) {
                 props['attr__' + attr.name] = limitText(1024, attr.value)
diff --git a/src/types.ts b/src/types.ts
index cb242325e..e10de4f9d 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -49,7 +49,7 @@ export interface AutocaptureConfig {
      * Exclude certain element attributes from autocapture
      * E.g. ['aria-label'] or [data-attr-pii]
      */
-    element_attribute_denylist?: string[]
+    element_attribute_ignorelist?: string[]
 }
 
 export type UUIDVersion = 'og' | 'v7'