ensuring we dont execute code in attributes

Sam Martin · Sam Martin · commit dabcd04cfe5a · 2025-12-19T12:48:22.000-08:00
diff --git a/lerna.json b/lerna.json
@@ -2,6 +2,6 @@
   "packages": [
     "packages/*"
   ],
-  "version": "0.8.46",
+  "version": "0.8.47",
   "npmClient": "yarn"
 }
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "clarity",
   "private": true,
-  "version": "0.8.46",
+  "version": "0.8.47",
   "repository": "https://github.com/microsoft/clarity.git",
   "author": "Sarvesh Nagpal <sarveshn@microsoft.com>",
   "license": "MIT",
diff --git a/packages/clarity-decode/package.json b/packages/clarity-decode/package.json
@@ -1,6 +1,6 @@
 {
   "name": "clarity-decode",
-  "version": "0.8.46",
+  "version": "0.8.47",
   "description": "An analytics library that uses web page interactions to generate aggregated insights",
   "author": "Microsoft Corp.",
   "license": "MIT",
@@ -26,7 +26,7 @@
     "url": "https://github.com/Microsoft/clarity/issues"
   },
   "dependencies": {
-    "clarity-js": "^0.8.46"
+    "clarity-js": "^0.8.47"
   },
   "devDependencies": {
     "@rollup/plugin-commonjs": "^24.0.0",
diff --git a/packages/clarity-devtools/package.json b/packages/clarity-devtools/package.json
@@ -1,6 +1,6 @@
 {
   "name": "clarity-devtools",
-  "version": "0.8.46",
+  "version": "0.8.47",
   "private": true,
   "description": "Adds Clarity debugging support to browser devtools",
   "author": "Microsoft Corp.",
@@ -24,9 +24,9 @@
     "url": "https://github.com/Microsoft/clarity/issues"
   },
   "dependencies": {
-    "clarity-decode": "^0.8.46",
-    "clarity-js": "^0.8.46",
-    "clarity-visualize": "^0.8.46"
+    "clarity-decode": "^0.8.47",
+    "clarity-js": "^0.8.47",
+    "clarity-visualize": "^0.8.47"
   },
   "devDependencies": {
     "@rollup/plugin-node-resolve": "^15.0.0",
diff --git a/packages/clarity-devtools/static/manifest.json b/packages/clarity-devtools/static/manifest.json
@@ -2,8 +2,8 @@
   "manifest_version": 2,
   "name": "Microsoft Clarity Developer Tools",
   "description": "Clarity helps you understand how users are interacting with your website.",
-  "version": "0.8.46",
-  "version_name": "0.8.46",
+  "version": "0.8.47",
+  "version_name": "0.8.47",
   "minimum_chrome_version": "50",
   "devtools_page": "devtools.html",
   "icons": {
diff --git a/packages/clarity-js/package.json b/packages/clarity-js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "clarity-js",
-  "version": "0.8.46",
+  "version": "0.8.47",
   "description": "An analytics library that uses web page interactions to generate aggregated insights",
   "author": "Microsoft Corp.",
   "license": "MIT",
diff --git a/packages/clarity-js/src/core/version.ts b/packages/clarity-js/src/core/version.ts
@@ -1,2 +1,2 @@
-let version = "0.8.46";
+let version = "0.8.47";
 export default version;
diff --git a/packages/clarity-visualize/package.json b/packages/clarity-visualize/package.json
@@ -1,6 +1,6 @@
 {
   "name": "clarity-visualize",
-  "version": "0.8.46",
+  "version": "0.8.47",
   "description": "An analytics library that uses web page interactions to generate aggregated insights",
   "author": "Microsoft Corp.",
   "license": "MIT",
@@ -27,7 +27,7 @@
     "url": "https://github.com/Microsoft/clarity/issues"
   },
   "dependencies": {
-    "clarity-decode": "^0.8.46"
+    "clarity-decode": "^0.8.47"
   },
   "devDependencies": {
     "@rollup/plugin-commonjs": "^24.0.0",
diff --git a/packages/clarity-visualize/src/layout.ts b/packages/clarity-visualize/src/layout.ts
@@ -641,7 +641,7 @@ export class LayoutHelper {
                                 node.setAttribute(Constant.Hide, size);
                         }
                     } else {
-                        node.setAttribute(attribute, v);
+                        node.setAttribute(attribute, this.isSuspiciousAttribute(attribute, v) ? Constant.Empty : v);
                     }
                 } catch (ex) {
                     console.warn("Node: " + node + " | " + JSON.stringify(attributes));
@@ -670,6 +670,23 @@ export class LayoutHelper {
         }
     }
 
+    private isSuspiciousAttribute(name: string, value: string): boolean {
+        // Block event handlers entirely
+        if (name.startsWith('on')) {
+            return true;
+        }
+        
+        // Check for JavaScript protocols and dangerous patterns
+        const dangerous = [
+            /^\s*javascript:/i,
+            /^\s*data:text\/html/i,
+            /^\s*vbscript:/i
+        ];
+        
+        return dangerous.some(pattern => pattern.test(value));
+    }
+
+
     private getMobileCustomStyle = (): string => {
         if(this.isMobile){
             return `*{scrollbar-width: none; scrollbar-gutter: unset;};`
diff --git a/packages/clarity-visualize/types/visualize.d.ts b/packages/clarity-visualize/types/visualize.d.ts
@@ -199,7 +199,7 @@ export const enum Constant {
     NewPassword = "new-password",
     StyleSheet = "stylesheet",
     OriginalBackgroundColor = "data-clarity-background-color",
-    OriginalOpacity = "data-clarity-opacity"
+    OriginalOpacity = "data-clarity-opacity",
 }
 
 export const enum Setting {

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,6 @@`
`2`	`2`	`"packages": [`
`3`	`3`	`"packages/*"`
`4`	`4`	`],`
`5`		`- "version": "0.8.46",`
	`5`	`+ "version": "0.8.47",`
`6`	`6`	`"npmClient": "yarn"`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "clarity",`
`3`	`3`	`"private": true,`
`4`		`- "version": "0.8.46",`
	`4`	`+ "version": "0.8.47",`
`5`	`5`	`"repository": "https://github.com/microsoft/clarity.git",`
`6`	`6`	`"author": "Sarvesh Nagpal <[email protected]>",`
`7`	`7`	`"license": "MIT",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "clarity-js",`
`3`		`- "version": "0.8.46",`
	`3`	`+ "version": "0.8.47",`
`4`	`4`	`"description": "An analytics library that uses web page interactions to generate aggregated insights",`
`5`	`5`	`"author": "Microsoft Corp.",`
`6`	`6`	`"license": "MIT",`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-let version = "0.8.46";`
	`1`	`+let version = "0.8.47";`
`2`	`2`	`export default version;`
Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,7 @@ export const enum Constant {`
`199`	`199`	`NewPassword = "new-password",`
`200`	`200`	`StyleSheet = "stylesheet",`
`201`	`201`	`OriginalBackgroundColor = "data-clarity-background-color",`
`202`		`- OriginalOpacity = "data-clarity-opacity"`
	`202`	`+ OriginalOpacity = "data-clarity-opacity",`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`export const enum Setting {`