Hi all,

I just wanted to understand how the "cloak_url" function works, and whether it truly hides the plain-text email address from the webpage. The reason why I'm asking this, is because right now, if I use the following tag...

Code: Select all

<cms:cloak_url 'me@example.com' />

...in the webpage I see this code:

Code: Select all

<span id="vlk6oxBDpkZgz5uw">
  <a href="mailto:me@example.com">me@example.com</a>
</span>
<script type="text/javascript">
//<![CDATA[
var vXeDN5PriVqOFOxx=["109","x61","x69","108","116","111","58","109","x65","x40","101","120","97","109","112","x6c","101","46","99","x6f","x6d"];
var vdYEUKSKOETeI3Wr=["x6d","x65","64","101","x78","97","x6d","x70","x6c","101","46","x63","x6f","x6d"];
var v28U6s5oCjtWXCpk="<a hr"+"ef=\"";
for (i=0; i<vXeDN5PriVqOFOxx.length; i++) v28U6s5oCjtWXCpk+='&#'+vXeDN5PriVqOFOxx[i]+';';
v28U6s5oCjtWXCpk+='" >';
for (i=0; i<vdYEUKSKOETeI3Wr.length; i++) v28U6s5oCjtWXCpk+='&#'+vdYEUKSKOETeI3Wr[i]+';';
v28U6s5oCjtWXCpk+='</a>';
document.getElementById( 'vlk6oxBDpkZgz5uw' ).innerHTML = v28U6s5oCjtWXCpk;
//]]
</script>

As far as I can see, although there is a 'script' element that gets produced by the tag, a plain-text link is then outputted by the javascript in the script - and this, of course, would be easily harvested by any bot. This doesn't look very secure.

I think I must be missing something - can someone explain to me how this works?

[KK]

Hi luxlogica,

I think you meant cms:cloak_email (and not cms:cloak_url that you mentioned).

Anyways, if we place the following code in a template -

Code: Select all

<cms:cloak_email 'me@example.com' />

This is what it gets expanded to (as seen in view:source) -

Code: Select all

<span id='vfsWVubPzGqpNGah'>(Please enable JavaScript to view this email address)</span><script type="text/javascript">
//<![CDATA[
var vvgzSdbI0TUVT5cw=["109","97","x69","x6c","x74","111","58","x6d","x65","64","x65","120","97","x6d","x70","108","101","46","x63","111","x6d"];
var v0VemiYLMemZDNDD=["x6d","x65","x40","x65","120","x61","x6d","112","108","x65","x2e","99","x6f","109"];
var viPTxkYxLArA4j50="<a hr"+"ef=\"";
for (i=0; i<vvgzSdbI0TUVT5cw.length; i++) viPTxkYxLArA4j50+='&#'+vvgzSdbI0TUVT5cw[i]+';';
viPTxkYxLArA4j50+='" >';
for (i=0; i<v0VemiYLMemZDNDD.length; i++) viPTxkYxLArA4j50+='&#'+v0VemiYLMemZDNDD[i]+';';
viPTxkYxLArA4j50+='</a>';
document.getElementById( 'vfsWVubPzGqpNGah' ).innerHTML = viPTxkYxLArA4j50;
//]]
</script>

As you can see, there is no 'me@example.com' anywhere in it in plain text (please do view:source and confirm this for yourself).

I think what you have pasted is what is seen through Firebug (which shows the output of the executed JS code).

In case you (or some other viewer) are still wondering how this is secure since eventually the JS code does result in a real email address -
the reason is that bots almost never fetch a page, load it into a DOM parser (like a browser), let all JS into the page execute and then parse out the final code looking for email addresses to harvest. This simply is not practical as it takes too much time.

The practice is to fetch raw HTML for the page (as what is seen when we do a view:source) and then sieve out any emails within it. As you have see, our HTML has no visible email address and this is what makes it secure.

Of course, if someone utilizes a (slow and impractical) bot that executes the entire page just like a browser then the cms:cloak_email fails - but then so would every other method out there that tries to protect email from bots.

Like all security measures, this tag is not 100% foolproof but will help in warding off most of the bots.

Hope this answers your query.

@kk, yes, you were right on both counts: I did mean 'cloak_email', and I was looking at the code output instead of the page source. Indeed, it's doing what it's supposed to do. Thank you!

Its been a while, maybe I've just forgot something.

I've placed my <cms:cloack_email email/>tag between some show_repeatable's and the end result (across 3 different browsers) is //';for(i=0;i"> as HTML text, and an even more messed up code as the link!!

In an older project I did, the same code works fine, puzzling, do I have to enable something in kfunctions maybe?

Help!!

P.S.
The show_repeatable tags are between a cms:pages tag.
When I use them right on the master page itself, everything works fine, just not between cms:pages..

[KK]

Simmons,

I'll have to take a look at the full code to know anything about the cause.

Please PM me all the relevant files to duplicate the issue on my machine and I'll look into the problem.

Thanks.