[FEATURE] WebFetch: flag or strip DOM-hidden content (aria-hidden, display:none) before context ingestion
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
When WebFetch retrieves a web page, visually hidden content (via CSS or accessibility attributes) can be included in the plain text passed to
the model — with no signal that it was invisible to the user. This is a silent prompt injection vector.
Attack vectors covered:
- aria-hidden="true"
- display:none / visibility:hidden
- <span hidden> (native HTML attribute)
- Font size ≤ 1–2px or text color matching background color
Proposed fix
At the HTML → text conversion step inside WebFetch, detect hidden content and either:
- (a) Strip it — safest default, prevents injection entirely
- (b) Flag it — pass it with a [HIDDEN CONTENT: ...] marker so the model can identify it, alert the user, and disregard it for task execution
Option (b) is preferable for auditability: the user can see what was attempted.
Proposed Solution
claude-code-action already sanitizes hidden content at the GitHub Action layer (see
https://github.com/anthropics/claude-code-action/blob/main/docs/security.md). Applying the same logic to the core WebFetch tool would be
consistent and close the gap for all Claude Code users.
Related: #18653 proposes a ToolResultTransform hook as a broader architectural fix — this issue is narrower and targets the WebFetch HTML
parser specifically, making it actionable independently.
Alternative Solutions
_No response_
Priority
High - Significant impact on productivity
Feature Category
CLI commands and flags
Use Case Example
_No response_
Additional Context
_No response_
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗