I've spent the past few days working on updating my personal website. The URL of my personal website is (my first name).(my last name).com, as my last name is rather unusual, and I was lucky enough to pick up the domain name. My e-mail address is (my first name)#(my last name).com. So really, when it comes down to guessing it, it's not very hard.
Anyways, I want to integrate a mailto: link into my website, so people can contact me. And, despite my e-mail address not being very hard to guess, I'd rather not have it harvested by spam bots that just crawl websites for e-mail address patterns and add them to their database.
What is the best way for me to obfuscate my e-mail address, preferably in link form? The methods I know of are:
e-mail me
It works, but it also means that as soon as my website hits Google, I'll be wading through spam as spam bots easily pick out my e-mail address.
<img src="images/e-mail.png" />
This is less desirable, because not only will visitors be unable to click on it to send me an e-mail, but smarter spam bots will probably be able to detect the characters that the image contains.
I know that there is probably no perfect solution, but I was just wondering what everyone thought was best. I'm definitely willing to use JavaScript if necessary, as my website already makes use of tons of it.
I encode the characters as HTML entities (something like this). It doesn't require JS to be enabled and seems to have stopped most of the spam. I suppose a smart bot might still harvest it, but I haven't had any problems.
Personally, I've given up on hiding my email address. I find it easier to look into better spam-filtering solutions than worry about obfuscating. You could spend days trying to find the best way to obfuscate your address, and then all it takes is one person to sell your address to a spammer and all that work was useless.
The current accepted solution is to create a contact form that allows users to email you. If you receive a lot of spam from that (I don't on my site), then you can add a captcha for good measure, and you'll be far from the "low hanging fruit" at that point.
The fact of the matter is that if you are providing a link that a user can click on to pop open their email client with your address in the To: field, then the computer is able to decipher the email address from the page and so can a spam bot.
You mentioned this is for your personal website. On my personal site (for example, bobsomers.com) I just have a paragraph that says this:
The best way to get in contact with me
before the new site is up is to send
me an email. My email address is my
first name at this website. If you
can't figure it out from that hint,
well, you might find email more of a
challenge than figuring out my
address.
People seem to be able to figure that out just fine, as I get legitimate email all the time. Sometimes the best solutions don't require writing any code. :)
A lightweight way to obfuscate the href of an anchor is to base64-encode it:
> btoa('mailto:email#example.com')
< "bWFpbHRvOmVtYWlsQGV4YW1wbGUuY29t"
And then include it hardcoded:
E-Mail
Or dynamically server-side e.g. in PHP:
E-Mail
In combination with string reversion it could be pretty spam-save:
<?= strrev("email#example.com") ?>
Apparently using CSS to change the direction of your text works pretty well. That link has a test of a bunch of other obfuscation methods as well.
Whatever you use is inevitably going to be defeated. Your primary aim should be to avoid annoying the heck out of your users.
Don't use any obfuscation techniques here because it's probably the first place the email harvesters will look to find out how people are obfuscating emails. If you have to have your email address visible on the site don't just copy verbatim someone else's method; obfuscate it in some unique way that no other site has used so that your method won't be known to harvesters before they visit your site.
mine is actually simple:
<h3 id="email">hello#gmail.com</h3><!-- add a fake email -->
$(document).ready(function(){
//my email in reverse :)
var s = 'moc.elibomajninbew#htiek';
var e = s.split("").reverse().join("");
$('#email').html(''+e+'');
});
You could do as Google do on Google Code (and Groups). Display a par tof the email, and a clickable portion ("..."). Clicking that indicates you want to know the email, and you are asked to fill in a captcha. Afterwards the email (and others?) are visible to you.
One website I maintain uses a somewhat simplistic JavaScript means of (hopefully) keeping spambots out.
Email links call a JS function:
function sendEmail(name, domain) {
location.href = 'mailto:' + name + '#' + domain;
}
To make sure only users who have JS enabled can see the link, write them out with this:
function writeEmailLink(realName, name, domain) {
document.write('<a href="javascript:sendEmail(\''
+ name + '\', \'' + domain + '\')">');
document.write(realName);
document.write('</a>');
}
The use of one JS function to write out a link that calls another means that there are two layers of protection.
I use JavaScript obfuscation, take a look at this one for example:
http://www.jottings.com/obfuscator/
As a poster above said, I also use JavaScript obfuscation from the jottings website.
The web page generates some JavaScript which can be improved on. The mailto: text string is in the clear and identifiable by robots (which could spot this and unobfuscate this string), but if one enters into the jottings.com webpage an email address of the form mailto:addr#site.tld instead of addr#site.tld and then removes the text mailto: from the JavaScript that is generated, one suddenly has some JavaScript that does not look as though it has anything to do with email at all - just random JavaScript of which the web is full. One can improve this still further by getting rid of the link text - I replaced mine by an image of my email address that is in a fairly obscure font. Then just in case this method on jottings.com becomes popular, I randomized the variable names in the output JavaScript to make it hard for a robot to spot an instance of jottings generated JavaScript code.
Obviously some of these improvements could be built into the mechanism on jottings itself, and since the code is openly available this would be relatively easy.
An example may make this a bit more clear. I used the Jottings Obfuscator at the link above to obscure mailto:foo#bar.com (note I am cheating on the original intent of the jottings website by entering the string mailto:foo#bar.com instead of foo#bar.com) with text "Send Me Email", which jottings turned into this Javascript:
<script type="text/javascript" language="javascript">
<!--
// Email obfuscator script 2.1 by Tim Williams, University of Arizona
// Random encryption key feature by Andrew Moulden, Site Engineering Ltd
// This code is freeware provided these four comment lines remain intact
// A wizard to generate this code is at http://www.jottings.com/obfuscator/
{ coded = "3A1OTJ:rJJ#VAK.GJ3"
key = "J0K94NR2SXLupIGqVwt8EZlhznemfaPjs7QvTB6iOyWYo3rAk5FHMdxCg1cDbU"
shift=coded.length
link=""
for (i=0; i<coded.length; i++) {
if (key.indexOf(coded.charAt(i))==-1) {
ltr = coded.charAt(i)
link += (ltr)
}
else {
ltr = (key.indexOf(coded.charAt(i))-shift+key.length) % key.length
link += (key.charAt(ltr))
}
}
document.write("<a href='mailto:"+link+"'>Send Me Email</a>")
}
//-->
</script><noscript>Sorry, you need Javascript on to email me.</noscript>
After I get that back, I paste it into an editor and:
remove the mailto:
replace link text with pointer to an image of my email address
rename all the variables
replace the "noscript" section with another link to the email address image
I end up with this:
<script type="text/javascript" language="javascript">
<!--
// Email obfuscator script 2.1 by Tim Williams, University of Arizona
// Random encryption kkeoy feature by Andrew Moulden, Site Engineering Ltd
// This kudzu is freeware provided these four comment lines remain intact
// A wizard to generate this kudzu is at http://www.jottings.com/obfuscator/
{ kudzu = "3A1OTJ:rJJ#VAK.GJ3"
kkeoy = "J0K94NR2SXLupIGqVwt8EZlhznemfaPjs7QvTB6iOyWYo3rAk5FHMdxCg1cDbU"
shift=kudzu.length
klonk=""
for (variter=0; variter<kudzu.length; variter++) {
if (kkeoy.indexOf(kudzu.charAt(variter))==-1) {
lutu = kudzu.charAt(variter)
klonk += (lutu)
}
else {
lutu = (kkeoy.indexOf(kudzu.charAt(variter))-shift+kkeoy.length) % kkeoy.length
klonk += (kkeoy.charAt(lutu))
}
}
document.write("<a href='"+klonk+"'><img src='contactaddressimage.png' alt='Send Me Email' border='0' height='62' width='240'></a>")
}
//-->
</script>
<noscript>
<img src="contactaddressimage.png" border="0" height="62" width="240">
<font face="Arial" size="3"><br> </font></p>
</noscript>
I don't how well this would work. Could you not leave your email address out and make it load using an AJAX call once the page has finished loading. Not sure if spam bots can pick up the altered HTML or if they are clever enough to listen on other HTTP traffic to try and pick email addresses or if they just scan the page as it is received the first time.
One guy tested nine different ways of presenting an email address on a page and then published results on his blog.
His three best ways were:
Changing the code direction with CSS
Using CSS display:none
ROT13 Encryption
Caveat -- this was posted two years ago. Spam bots might've gotten smarter.
If you work with PHP, you can grab a free script that does that automatically. It's called "Private Daddy" and we use it for our own online audio streaming service. Just one line of code and it works out of the box... you can grab it here
Another approach could be by using a JavaScript framework and binding the data/model to the HTML elements. In the case of AngularJS, the HTML elements would be written as:
<span>{{contactEmail}}</span>
The interpolation {{data}} binding uses a scope variable that contains the actual email value. In addition, a filter could also be used that handles the decoding of the email as follows:
<span>{{contactEmail | decode}}</span>
The benefits are in the way the HTML is written. The downside is that it requires scripting support which some for may be a no no.
just another approach.
Using JQuery, but can easily be ported to plain JS if needed. Will take the following HTML block. This example I provided is also for tel: links for phone calls.
<a class="obfuscate"
href="mailto:archie...trajano...net">
archie...trajano...net
</a>
<a class="obfuscate"
href="tel:+One FourOneSix-EightFiveSix-SixSixFiveFive">
FourOneSix-EightFiveSix-SixSixFiveFive
</a>
and convert it to the proper links using Javascript.
$(".obfuscate").each(function () {
$(this).html($(this).html()
.replace("...", "#").replace(/\.\.\./g, ".")
.replace(/One/g, "1")
.replace(/Two/g, "2")
.replace(/Three/g, "3")
.replace(/Four/g, "4")
.replace(/Five/g, "5")
.replace(/Six/g, "6")
.replace(/Seven/g, "7")
.replace(/Eight/g, "8")
.replace(/Nine/g, "9")
.replace(/Zero/g, "0"))
$(this).attr("href", $(this).attr("href")
.replace("...", "#").replace(/\.\.\./g, ".")
.replace(/One/g, "1")
.replace(/Two/g, "2")
.replace(/Three/g, "3")
.replace(/Four/g, "4")
.replace(/Five/g, "5")
.replace(/Six/g, "6")
.replace(/Seven/g, "7")
.replace(/Eight/g, "8")
.replace(/Nine/g, "9")
.replace(/Zero/g, "0"))
})
I documented it in more detail here https://trajano.net/2017/01/obfuscating-mailto-links/
The de/obfuscation algorithm is pretty simple so its not too taxing to write either (no need for base64 parsing)
The Ajax call solution
The best is to have a form on the website and not to show email address, because all robots are more intelligent day after day, but if you need to show email address on the website, so, you can make it with ajax call on your server, and show it on click.
HTML
<a class="obfmail" href="#" rel="info">click here to show email address</a>
or
<a class="obfmail" href="#" rel="info">
<img src="img/click-to-show-email.jpg">
</a>
jQuery
$(document).one'click', '.obfmail', function(e) {
e.preventDefault();
a = $(this);
addr = a.attr('rel');
$.ajax({
data: {
email: addr
},
url : "/a/getemail",
type: "POST",
dataType: 'json',
success: function(data) {
a.html(data.addr);
a.attr('href', 'mailto:' + data.addr);
}
});
});
PHP
if($_POST['email']) {
...
return json_encode(array(
code => '200',
response => 'success',
addr => 'info#domain.ltd'
));
}
For more security, you can change .on by .one like this $(document).one('click', '.obfmail', function(e) { or even work with a PHP generated token that you pass into data on ajax call, to accept only one call of the ajax function like this :
html: <a class="obfmail" href="#" rel="info" token="w3487ghdr6rc">
jquery:
...
addr = a.attr('rel');
tkn = a.attr('token');
$.ajax({
data: {
email: addr,
token: tkn
}, ...
.
It is possible to encode the returned email address too or invert it.
.
Working fine for phone numbers too !
Cloudflare is now offering free email obfuscation service. This might be an option if you use Cloudlfare.
I agree with #srobinson in that using an online form for encoding to html entities seems a little shady. A few lines of python will do it for you:
def htmlEntities( string ):
return ''.join(['&#{0};'.format(ord(char)) for char in string])
htmlEntities("barnstable#example.com")
the above returns:
'barnstable#example.com'
Which is barnstable#example.com encoded to HTML Entities (surrounded by single quotes).
Honestly, your problem may be moot if you asked the question of whether or not a mailto is really what you want to use. A lot of people who use web mail, for example, or do not have the proper mail client setup in their browser are not going to benefit from a mailto. You are exposing your email address for a function that isn't going to work for a large portion of your users.
What you could do instead is use a form to send the e-mail behind the scenes so that the e-mail address is hidden and you don't have to worry about the poor saps who won't benefit from a mailto.
If you say on your site that "My e-mail address is (my first name)#(my last name).com.", and your first name and last name are pretty darn obvious, that seems to be the best spam protection you're going to get.
If anyone's using Rails, they can use the actionview-encoded_mail_to gem. (https://github.com/reed/actionview-encoded_mail_to)
There are a few options:
:encode - This key will accept the strings "javascript" or "hex".
Passing "javascript" will dynamically create and encode the mailto
link then eval it into the DOM of the page. This method will not show
the link on the page if the user has JavaScript disabled. Passing
"hex" will hex encode the email_address before outputting the mailto
link.
:replace_at - When the link name isn't provided, the
email_address is used for the link label. You can use this option to
obfuscate the email_address by substituting the # sign with the string
given as the value.
:replace_dot - When the link name isn't provided,
the email_address is used for the link label. You can use this option
to obfuscate the email_address by substituting the . in the email with
the string given as the value.
<!-- Multi-Email Obfuscator -->
<!-- step 1: # = # -->
<!-- step 2: a scrap element -->
<!-- step 3: ROT13 encode for .com -->
info<!-- step 1 -->#<!-- step 2 --><b style="display:none">my</b>domain<!-- step 3 --><script>document.write(".pbz".replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}));</script>
Since this solution is not mentioned anywhere, but works well for me:
I do this:
create a mailto link with fake email. I like admin#localhost.localdomain for obvious reasons: Spammer might spam his own botnet when using this address unchecked.
cypher real email address and put it in an unrelated but findable hidden span or whatever element you like. Obviously to obfuscate the email and hide it from the harvester. Depending on your project structure, you might even want to put it in a JS or Session variable.
create a click handler for these links after a second that decyphers and write the correct email address into the fake mailto link not preventing defaults.
I do not think that crawlers click on mailto links, but if they would, they probaby won't wait a second, while a human being would have to be extremly fast to click a link in the first second after pageload.
Now you have a fully functional but obfuscated, honeypoted and timesecured mailto link.
Working example php file:
<html>
<head>
<title>E-Mail Obfuscating</title>
</head>
<body>
<?php
$email = "example#email.org";
echo "<a class='emailLink' href='mailto:admin#localhost.localdomain' >Send me an e-mail!</a>"
."<span style='display:none' data-hash='" . base64_encode($email) . "' />";
?>
<script>
<!--
var emailLinks = document.getElementsByClassName("emailLink");
setTimeout(function() {
for(var i=0; i <emailLinks.length; ++i){
emailLinks[i].addEventListener("click", function(){
let encodedEmail = this.nextSibling.getAttribute('data-hash');
let decodedEmail = atob(encodedEmail);
this.href = "mailto:" + decodedEmail;
this.text = decodedEmail;
});
}
}, 1000);
-->
</script>
</body>
</html>
May the code be with you.
What if creating a link "Contact me" pointing to a directory protected by a password? Of course, you have to give the pass to access.
"Contact me" > ••••••••••• > contact/index.html
Once accessed, the contact/index.html page reveals the email, a mailto for instance.
My solution is to rearrange the characters using css and replacing the element on hover. No change is visible to the user.
const obscureHoverReverseMailTo = input => `<span style="display: inline-flex; color: rgb(0, 0, 238); cursor: pointer; text-decoration: underline;" onmouseover="const newContent = [...this.children].sort((a, b) => a.style.order - b.style.order).map(el => el.innerText).join('');this.outerHTML = \`<a href='mailto: \${newContent}'>\${newContent}</a>\`">${input.split("").map((char, index) => `<span style="order: ${index}">${char}</span>`).sort(() => 0.5 - Math.random()).join("")}</span>`;
const obscureHoverReverseMailTo = input => `<span style="display: inline-flex; color: rgb(0, 0, 238); cursor: pointer; text-decoration: underline;" onmouseover="const newContent = [...this.children].sort((a, b) => a.style.order - b.style.order).map(el => el.innerText).join('');this.outerHTML = \`<a href='mailto: \${newContent}'>\${newContent}</a>\`">${input.split("").map((char, index) => `<span style="order: ${index}">${char}</span>`).sort(() => 0.5 - Math.random()).join("")}</span>`;
document.getElementById("testRoot").innerHTML = obscureHoverReverseMailTo("hello#example.com")
<div id="testRoot"></div>
<input type="text" onkeyup="document.getElementById('testOut').innerHTML = obscureHoverReverseMailTo(this.value)">
<div id="testOut"></div>
here is the function if you have something else to hide:
const obscureHoverReverse = input => `<span style="display: inline-flex" onmouseover="this.outerHTML = [...this.children].sort((a, b) => a.style.order - b.style.order).map(el => el.innerText).join('')">${input.split("").map((char, index) => `<span style="order: ${index}">${char}</span>`).sort(() => 0.5 - Math.random()).join("")}</span>`;
Simple JavaScript-unaware bots typically look for mailto: and/or # in HTML page contents. Obfuscating these keywords will dramatically decrease chances of email address scraping.
A Base-64 encoded URL template mailto:%user%#%domain% can be employed:
function contact(user, domain = location.hostname) {
const template = atob('bWFpbHRvOiV1c2VyJUAlZG9tYWluJQ==');
location.href = template
.replace('%user%', user)
.replace('%domain%', domain);
return false;
}
Where 'bWFpbHRvOiV1c2VyJUAlZG9tYWluJQ==' is btoa('mailto:%user%#%domain%').
HTML links would need to be updated as follows:
e-mail me
Furthermore, javascript: addresses can be hidden from the users:
e-mail me
The return statements prevent the page navigation to the # anchor.
I use a PHP function to generate some javascript to output the email on page load. Note that you don't need PHP to generate the JS at runtime, you can generate the JS once locally and then include the static JS in your page.
You can also use the linked function with this snippet below to automatically obfuscate email addresses in some given HTML (where $processedContent is the HTML):
$emailMatches = array();
$matchCount = preg_match_all('/(?:[a-zA-Z0-9_\.\-])+\#(?:(?:[a-zA-Z0-9\-])+\.)+(?:[a-zA-Z0-9]{2,4})+/', $processedContent, $emailMatches);
if($matchCount > 0) {
$emailMatches = $emailMatches[0];
foreach($emailMatches as $email) {
$replacement = createJSMailLink($email);
$processedContent = str_replace($email, createJSMailLink($email), $processedContent);
}
Related
All:
I have an issue with a project I am working on using C# MVC4
In the project, I am accepting a URL and other parameters from a user, then do some processing and send the result of the processing to the URL provided by the user.
The result is being sent using the following code:
var context = HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", postUrl));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
Whenever a user attempts an XSS like passing a url value of javascript%3aalert('xss')%2f%2f, the JavaScript runs and the pop up shows up.
I've tried Antixss.HtmlEncode() to encode the URL before passing it into string.Format but still doesn't work. I've tried Antixss.UrlEncode() also, but this gives error as the form doesn't submit to the URL.
Please help me out, Is there something I am missing? What else can I do?
Thanks in advance.
You will need a three pronged approach to solve this issue.
Preventing XSS injection:
Note that if a user injected the url value
" /> <script>alert('xss')</script>
this would also leave you vulnerable:
<form name="myform" method="post" action="" /> <script>alert('xss')</script>" >
Therefore you should use the HttpUtility.HtmlAttributeEncode function to solve this one.
However, don't stop there. As noted, you should project against javascript: style URLs. For this I would ensure that the URL begins with http:// or https://. If not, throw a SecurityException which you should be logging and handling server-side, and showing the user a custom error page.
Finally, you want to protect against Open Redirect Vulnerabilities. This is to stop phishing attacks by redirecting users to other domains. Again, use a whitelist approach and ensure that the domain redirected to is one of your own. Be careful on the parsing here, as it is easy to get it wrong - a URL of http://example.org?http://example.com will pass the validation filter for example.com on many badly written validation routines. I recommend using the Uri object in .NET and retrieving the domain through that rather than rolling your own string functions.
You could also check if the URL is a relative URL, and allow it if acceptable. Use something like this function which uses a built in .NET library to ensure that it is relative or not.
Just a thought - try putting this script in rather than just document.myform.submit (and remove the form's action property):
if("{0}".indexOf('http') !== 0) {
//this is some sort of injection, or it's pointing at something on your server. Should cover http and https.
//Specifically, it makes sure that the url starts with 'http' - so a 'javascript' url isn't going to work.
} else {
document.myform.action="{0}"
document.myform.submit();
}
There is more you could do, but this should help.
Since you are adding the postUrl as an attribute "action" of the form tag, you can try using HtmlAttributeEncode method in the HttpUtility
[ValidateInput(false)]
public ActionResult Test(string url)
{
var context = System.Web.HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", HttpUtility.HtmlAttributeEncode(url)));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
return null;
}
http://localhost:39200/home/test?url=https%3A%2F%2Fwww.google.com - Worked
http://localhost:39200/home/test?url=%3Cscript%3Ealert(%27test%27)%3C%2Fscript%3E - Worked(Did not show alert)
It is always good practice to Validate the user input against a white list of inputs, to prevent XSS exploits.
try using HttpUtility.UrlEncode
something like Response.Write(HttpUtility.UrlEncode(urlString));
see How To: Prevent Cross-Site Scripting in ASP.NET for more steps =)
I'm not sure if the way to do this is check Google Analytics cookies or otherwise track where a user came to my site from. Basically I have a form with a hidden field code="XY1" Now I need to be able to insert a different preset code for say people who came from Facebook, so the script would have to check where the visitor came from and then assign a code XF1 to any from FB, and a code XT1 to any from Twitter, etc.
Would something like this PHP work for the capture?:
$referringPage = parse_url( $_SERVER['HTTP_REFERER'] );
if ( stristr( $referringPage['host'], 'facebook.com' ) )
Or this JS
var ref = document.referrer;
if (!ref.indexOf("facebook.com") != -1) {
document.write(...)
}
I'm not sure what is the best way to do it and what kind of methods can reliably check the source of a visitor, so any help would be greatly appreciated.
You can use $_SERVER['HTTP_REFERER'], but it's not guaranteed to be accurate, or even present. Not all browsers will necessarily set it, and some allow you to set it yourself. Google cookies won't contain any site history, and you can't examine the browser history, so there's no guaranteed way to do what you're asking.
You can try this option using jquery $.test() method.
$(function(){
var referer=document.referrer, //option 1
//referer="<?php echo $_SERVER['HTTP_REFERER'];?>",//optional 2
XFB=/facebook.com/g,
XFT=/twitter.com/g,
checkF1=XFB.test(referer),
checkF2=XFT.test(referer);
if(checkF1){
var code= "XF1";
$('#hiddenInput').attr('value','ref: '+referer)
}
else if(checkF2){
var code= "XT1";
$('#hiddenInput').attr('value','ref: '+referer)
}
});
so I received an obvious phising email today with this js code in it:
<script type="text/javascript" language="Javascript1.1">
<!-- Begin
var bCancel = false;
function validateRegistrationDetails(form) {
hmrc.portal.clearFieldValidationErrors(form);
if (bCancel) {
return true;
} else {
var registrationDetailsPageMessage = new String("<p>ERROR: This page contains one or more errors. See details below.</p>")
var formValidationResult;
formValidationResult = validateRequired(form) & validateMask(form) & validateIdenticalEmailAddresses(form);
if (!formValidationResult){
var formName=form.name;
var ele=document.getElementById('pageError.registrationDetails');
if(ele){
ele.innerHTML = registrationDetailsPageMessage;
ele.style.display = ''; }
}
return (formValidationResult == 1);
}
}
function registrationDetails_required () {
this.a0 = new Array("selectedServices", "<p>ERROR: Please select at least one online service.</p>", new Function ("varName", " return this[varName];"));
}
function registrationDetails_mask () {
}
function registrationDetails_identicalEmailAddresses () {
}
//End -->
</script>
Is it malicious in anyway, what exactly does it do with the form data. I am not that versed in vanilla javascript. Any explanation would be helpful.
Thanks
In all likelihood, whoever sent you this simply lifted a section of HTML and inline JavaScript from the site they were trying to pretend to be. A few lines in the code such as:
hmrc.portal.clearFieldValidationErrors(form);
suggest that they were trying to be HMRC, with the rest of the code being simple validation of the information being entered; I'm going to guess that the content was taken from the 'Registration' section of that site
So you've already established that it's a phishing email.
Typically phishing emails try to make themselves look legitimate by copying large chunks of code from the original website that they're trying to pretend to be (ie your bank's site or whatever). They'll then alter that code so that it sends the relevant data to the phisher rather than to the bank. They may also add fields that weren't in the original, such as asking for your PIN, etc.
However, the main point here is that the bulk of the original code is generally retained, in order to maintain the look and feel of the original site.
Therefore the chances are that the code you're seeing has actually been copied by the phishers from the original site.
There's nothing explicitly malicious about this code in itself -- it has a lot of badly written code, but it isn't trying to do anything wrong in this code.
Where the problem lies for the phishers here is that Javascript code is blocked by most email clients; ie regardless of its intent, the chances are that that this code won't actually work in your mail client.
But I would guess that the phishers have just taken the original form wholesale from the website and dumped it into an email without bothering to take out any javascript that might have been embedded in it.
So the short answer is: Don't worry about this code in particular, but please do delete the email.
As far as I can see, there's nothing malicious with it, unless some script has been included outside of this script itself.
I have read a lot of pages about avoiding the mailto length limit, but I haven't found an answer to my issue.
My problem is that I cannot send mail from the server (with PHP) because the employees have to keep a history of their emails on their private mail box.
I have to open the mail software client with some fields that are filled, after selecting one type of email.
My select looks like like this :
<select <!-- ... --> onchange="sendMailClientSide(this.value);">
<!-- ... -->
</select>
and my javascript function :
function sendMailClientSide(refType) {
// ...
var dest = "test#domain.ty";
var subj = "Why this doesn't work ?";
var body = /* a very big body */;
var linkMailto = "?bcc="+dest+"&subject="+subj+"&body="+body;
document.location.href = "mailto:"+linkMailto;
// ...
}
For some mails types, this works perfectly.
But with a body more larger than 1400 characters, the client software doesn't open.
I have tried submitting HTML form too. With this method, the limit seems to be highter but it still has a limit because it fails with a bigger mail.
And finally, I tried cutting the body (something like this "&body="+body1+"&body="+body2+...) but it doesn't work.
Anybody know if a Firefox plugin exists to expand the mailto size ? Or something like this (something from client side) ?
I don't think that it is directly possible. Maybe with a plugin, as you already suggested.
My workaround would be to provide the user with a simple form which submits to the server which then sends the mail out directly (without opening the clients mail program at all). Thus you can easily avoid the size limit at all.
The problem with this would be, that the user don't have their known email interface and thus special text formatting, custom signatures and stuff like this won't work.
You would have to decide this based on the formatting needs and who is the recipient.
I'm trying to make a field similar to the facebook share box where you can enter a url and it gives you data about the page, title, pictures, etc. I have set up a server side service to get the html from the page as a string and am trying to just get the page title. I tried this:
function getLinkData(link) {
link = '/Home/GetStringFromURL?url=' + link;
$.ajax({
url: link,
success: function (data) {
$('#result').html($(data).find('title').html());
$('#result').fadeIn('slow');
}
});
}
which doesn't work, however the following does:
$(data).appendTo('#result')
var title = $('#result').find('title').html();
$('#result').html(title);
$('#result').fadeIn('slow');
but I don't want to write all the HTML to the page as in some case it redirects and does all sorts of nasty things. Any ideas?
Thanks
Ben
Try using filter rather than find:
$('#result').html($(data).filter('title').html());
To do this with jQuery, .filter is what you need (as lonesomeday pointed out):
$("#result").text($(data).filter("title").text());
However do not insert the HTML of the foreign document into your page. This will leave your site open to XSS attacks.
As has been pointed out, this depends on the browser's innerHTML implementation, so it does not work consistently.
Even better is to do all the relevant HTML processing on the server. Sending only the relevant information to your JS will make the client code vastly simpler and faster. You can whitelist safe/desired tags/attributes without ever worrying about dangerous ish getting sent to your users. Processing the HTML on the server will not slow down your site. Your language already has excellent HTML parsers, why not use them?.
When you place an entire HTML document into a jQuery object, all but the content of the <body> gets stripped away.
If all you need is the content of the <title>, you could try a simple regex:
var title = /<title>([^<]+)<\/title>/.exec(dat)[ 1 ];
alert(title);
Or using .split():
var title = dat.split( '<title>' )[1].split( '</title>' )[0];
alert(title);
The alternative is to look for the title yourself. Fortunately, unlike most parse your own html questions, finding the title is very easy because it doesn;t allow any nested elements. Look in the string for something like <title>(.*)</title> and you should be set.
(yes yes yes I know never use regex on html, but this is an exceptionally simple case)