[FEATURE] WebFetch: flag or strip DOM-hidden content (aria-hidden, display:none) before context ingestion

Resolved 💬 5 comments Opened Mar 13, 2026 by aboigues Closed Apr 13, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

When WebFetch retrieves a web page, visually hidden content (via CSS or accessibility attributes) can be included in the plain text passed to
the model — with no signal that it was invisible to the user. This is a silent prompt injection vector.

Attack vectors covered:

  • aria-hidden="true"
  • display:none / visibility:hidden
  • <span hidden> (native HTML attribute)
  • Font size ≤ 1–2px or text color matching background color

Proposed fix

At the HTML → text conversion step inside WebFetch, detect hidden content and either:

  • (a) Strip it — safest default, prevents injection entirely
  • (b) Flag it — pass it with a [HIDDEN CONTENT: ...] marker so the model can identify it, alert the user, and disregard it for task execution

Option (b) is preferable for auditability: the user can see what was attempted.

Proposed Solution

claude-code-action already sanitizes hidden content at the GitHub Action layer (see
https://github.com/anthropics/claude-code-action/blob/main/docs/security.md). Applying the same logic to the core WebFetch tool would be
consistent and close the gap for all Claude Code users.

Related: #18653 proposes a ToolResultTransform hook as a broader architectural fix — this issue is narrower and targets the WebFetch HTML
parser specifically, making it actionable independently.

Alternative Solutions

_No response_

Priority

High - Significant impact on productivity

Feature Category

CLI commands and flags

Use Case Example

_No response_

Additional Context

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗