Contrary to the RRWeb guide documentation, password values are serialized during full snapshots or "mutation" incremental snapshots.

This may be especially critical when snapshots are taken after the page "load" event (ex: automatic checkout, takeFullSnapshot API).

A workaround could be to avoid collecting attributes.value if the input type is "password" here.

Thanks! This is really a critical issue, we only mask password input events before and forget the snapshot part.

I had merged #73 so we can config mask password from options.

And in the latest commit, I set the default value of masking password to true when a user does not pass in any explicit config about it.