Flow Studio
Log Sanitization
The sanitize() function runs on every log entry before it is displayed in the UI. It strips patterns that should not appear in a browser interface — credential-like strings, PII patterns, and HTML tags.
What sanitize() Strips
| Pattern | Replacement | Examples |
|---|---|---|
| JWT tokens (three base64url segments) | [REDACTED:JWT] | Bearer eyJhbG... |
| 16-digit credit card patterns | [REDACTED:CC] | 4111111111111111 |
| Known password field names + value | password=[REDACTED] | password=secret123 |
| Known secret field names + value | apiKey=[REDACTED] | apiKey=sk-abc123 |
| HTML tags | Tags stripped, text retained | <script>alert()</script> |
| User home directory paths | [REDACTED:PATH] | C:\Users\binoy\secrets.json |
sanitize() Source
// flow-observer-core/src/sanitization/sanitize.ts
const JWT_PATTERN = /\beyJ[\w-]+\.[\w-]+\.[\w-]+\b/g;
const CC_PATTERN = /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g;
const PASSWORD_PATTERN = /\b(password|passwd|secret|apikey|api_key|token)\s*=\s*\S+/gi;
const HTML_PATTERN = /<[^>]+>/g;
const HOME_PATH_WIN = /C:\\Users\\[^\\]+\\/gi;
const HOME_PATH_UNIX = /\/home\/[^/]+\//gi;
export function sanitize(text: string): string {
return text
.replace(JWT_PATTERN, '[REDACTED:JWT]')
.replace(CC_PATTERN, '[REDACTED:CC]')
.replace(PASSWORD_PATTERN, (m, key) => `${key}=[REDACTED]`)
.replace(HTML_PATTERN, '')
.replace(HOME_PATH_WIN, '[REDACTED:PATH]\\')
.replace(HOME_PATH_UNIX, '[REDACTED:PATH]/');
}When Sanitization Runs
Sanitization runs on the display path only — not in the buffer. The raw log entry (with all original fields) is stored in flowObserverPanelStore.logs. The sanitize() call happens inside the LogRow render function:
// Inside LogRow component
const displayMessage = useMemo(
() => sanitize(log.message),
[log.message]
);This means the Log Detail tab shows the sanitized version, and the text search also operates on sanitized text.
Not a Security Boundary
Sanitization is a UI convenience to prevent accidental credential exposure in shared screen sessions or screenshots. The raw log data is transmitted over the authenticated WebSocket connection. Do not rely on
sanitize() as a security control — sanitize sensitive data at the source (the executor) instead.