From 808ce0de8e2843648324b2926ba7c29c82e3c996 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 20 Apr 2026 11:06:45 +0800
Subject: [PATCH] fix(security): wrap snapshot output in untrusted-content
 envelope

The sidebar system prompt pushes the agent to run \`\$B snapshot\` as its
primary read path, but snapshot was NOT in PAGE_CONTENT_COMMANDS, so its
ARIA-name output flowed to Claude unwrapped. A malicious page's
aria-label attributes became direct agent input without the trust
boundary markers that every other read path gets.

Adding 'snapshot' to the set runs the output through
wrapUntrustedContent() like text/html/links/forms already do.

Caught by codex adversarial review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 browse/src/commands.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/browse/src/commands.ts b/browse/src/commands.ts
index 22c30694..9f2bf874 100644
--- a/browse/src/commands.ts
+++ b/browse/src/commands.ts
@@ -52,6 +52,11 @@ export const PAGE_CONTENT_COMMANDS = new Set([
   'console', 'dialog',
   'media', 'data',
   'ux-audit',
+  // snapshot emits aria tree with attacker-controlled aria-label strings.
+  // The sidebar's system prompt pushes agents to run `$B snapshot` as the
+  // primary read path, so unwrapped snapshot output is the biggest ingress
+  // for indirect prompt injection. Envelope it like every other read.
+  'snapshot',
 ]);
 
 /** Wrap output from untrusted-content commands with trust boundary markers */