next »

[cyberk]

First day playing with MODx and very impressed.

Here's a little plugin to obfuscate email links with Javascript.

It basically scours the page for mailto: email links, and if it finds one it obfuscates it before sending the result to the browser. Yes, this is kind of a brute force method, but for our clients we find it's MUCH easier to just let them enter email addresses as normal and to obfuscate them on-the-fly than making them remember to enter one via some sort of snippet code. I suppose this could easily be re-written as a Snippet to let you choose which bits of content you wanted to scour for obfuscation, but as a plug-in it's set it and forget it for the entire site.

To install:

1. Create a new Plugin named whatever you want (i.e. Email Obfuscator).

2. Under System Events, check the OnWebPagePrerender event.

3. Save and enjoy.

Assuming everything works right, all the regular email links on every page on your site should be obfuscated with Javascript. No guarantees as to the spambot-proofness of the actual obfuscation, and please note that it does NOT obfuscate email addresses that are written outside a mailto: link.

And with all that said, here's the plugin:

Code:

function replaceEntities($str) {

       $str=html_entity_decode($str);

for ($i = 0 ; $i < strlen($str) ; $i++) {
$strreplaced = $strreplaced . "&#" . ord($str{$i}) . ";";
}
return $strreplaced;
}

function emailaddress($matches) {

$strNewAddress = replaceEntities($matches[1]);

$strText = replaceEntities($matches[2]);

$arrEmail = explode("&#64;",$strNewAddress);

$strTag = "<script language='Javascript' type='text/javascript'>" . "\r";
$strTag = $strTag . "<!--" . "\r";
$strTag = $strTag . "document.write('<a href=\"mai');" . "\r";
$strTag = $strTag . "document.write('lto');" . "\r";
$strTag = $strTag . "document.write(':" . $arrEmail[0] . "');" . "\r";
$strTag = $strTag . "document.write('@');" . "\r";
$strTag = $strTag . "document.write('" . $arrEmail[1] . "\">');" . "\r";
$strTag = $strTag . "document.write('" . $strText . "<\/a>');" . "\r";
$strTag = $strTag . "// -->" . "\r";
$strTag = $strTag . "</script><noscript>" . $arrEmail[0] . " at " . "\r";
$strTag = $strTag . str_replace("&#46;"," dot ",$arrEmail[1]) . "</noscript>";

return $strTag;

}


$modx->documentOutput=preg_replace_callback("#<a[^>]*mailto:([^'\" ]*)['\" ]>([^<]*)</a>#i","emailaddress",$modx->documentOutput);

[Commodore64]

I had to replace the occurrences of "documentContent" with "documentOutput" 

After that, the plugin worked like a charm. Very cool 

[sottwell]

A plugin on the first day?  Ooooh!  Always very happy to see a professional join the community! (your site is really nice, too!)

[davidm]

Yeah, nice one, and on your first day pretty amazing...
Amazing we have two antibot plugins in the same week

And Susan, thanks for attracting our attention on cyberk's website : indeed very very nice ! Waow... And also : I very much like your approach of webdesign, first class ...glad to have you there !

[cyberk]

Thanks, all!

Can someone explain the difference between documentContent and documentOutput? Both seem to work equally well for me here?

[OpenGeek]

$modx->documentContent is used internally by the parser to store the output of a document, and can be retrieved dynamically from the DB or from the cache, depending on certain settings.  However, the final portion of the parsing process, which is responsible for parsing uncached snippet tags and replacing any remaining placeholders in the content, uses $modx->documentOutput to collect the final bits of uncached page data and merge it into the $modx->documentContent.  Then it checks to see if the $modx->documentContent was generated from the database (vs. retrieved from cache), and if so, it caches the $modx->documentContent while still outputting the $modx->documentOutput.

In other words, $modx->documentContent is the potentially cacheable content for a page, while $modx->documentOutput represents the final output to be delivered following final processing that occurs on all pages, regardless of the cacheability.

[cyberk]

Thanks, Jason!

I updated the code above.

[Kunal Kapoor]

This plugin works a treat. Thanks a lot. This should be added to the REPOSITORY. This is much easier to use than my little snippet.

[Djamoer]

Thanks for bringing this up. Link added. Thanks for the great plugin as well. I'm looking forward to all your new invention with MODx

[dernier_recours]

The plugin does not allow rendering of special characters. For example, <a href="mailto:email@email.com">événement</a> will be shown as a link &eacute;v&eacute;nement.

[Aikdo]

AMAZING snippit my only thing would be with any sort of bot would not have Javascript enabled and so your comment about spambot proofness is good in the fact it would only obscure it against your end user... shame really i really like the idea...

[zi]

This plugin is very good!

..and it would be great if someone adds the functionality asked 2 posts up here.

Thanks for sharing.

regards,

zi

[cyberk]

The plugin does not allow rendering of special characters. For example, <a href="mailto:email@email.com">événement</a> will be shown as a link &eacute;v&eacute;nement.

Great catch. I've fixed the plug-in to handle special characters correctly.

The code in the original post has been fixed. Either replace code with fixed code, or simply add this line:

$str=html_entity_decode($str);

as the first line in the replaceEntities function. That's the only change necessary.

Thanks!

[Colin]

This may be a stupid question, but that's never stopped me before: what happens if the visitor has JS disabled?

[cyberk]

This may be a stupid question, but that's never stopped me before: what happens if the visitor has JS disabled?

It will display "name at address dot com"

At least, I'm pretty sure that's what it does.

[Colin]

Hmmm.

I know that you made a point of no guarantees about this method, but I would imagine that "name at address dot com" is exactly what the spambots would see, and many must now be capable of harvesting such obfuscated addresses.

I am certain that this is still of value, but its value must be diminishing. Also, some when presented with such an obfuscated address, will not interpret it properly.

I use an image, but that has its own problems, as typos can develop when copying the address. Personally, I'll be switching to a form method instead.

However, I might use this with members' blog section I'm developing, as it will definitely help.

Thanks.

[cyberk]

Hmmm.

I know that you made a point of no guarantees about this method, but I would imagine that "name at address dot com" is exactly what the spambots would see, and many must now be capable of harvesting such obfuscated addresses.

I am certain that this is still of value, but its value must be diminishing.

True, though it's easy to modify the plug-in to show something different in the <noscript> version if you want to be hardier against spambots.

[Colin]

Sorry, I was modifying my last pot when you replied. You are certainly quick off the mark!

OK, that sounds even better. I'll definately look at this.

Again, thanks.

[ZAP]

This is an excellent plug-in. I think that JavaScript cloaking does still frustrate a lot of spam harvesters, and it's too easy not to do. I still hide my main email addresses in forms that don't show the recipient, but this works great for parsing all the random ones that end up on any site (especially one with user comments).

[qson]

The document does not validate (XHTML 1.0 Transitional) because of the noscript tag.

document type does not allow element "noscript" here; missing one of "object", "applet", "map", "iframe", "button", "ins", "del" start-tag

Which of the "missing" tags is best to use? I want my page to validate, but also I want it to cloak the adresses.

(I could remove the noscript tag completely though)