Not really a coding question, more theoretical and code is not needed as I know how to do it, but I'm not sure where else to ask this.
I have an idea for preventing spam bots from seeing that I have a form, but I cannot test this in local code. Can I just make the form completely javascript generated, and then write it to the inner html of a tag after a one second timeout? Seems too easy so there must be some reason why this wouldn't work. I can't find where anybody tried this and tested it for a while so I don't know if it will work or not.
So based on what anybody knows about how bots work, can they still see that I have a form, especially if the js is obfuscated? I would think that the bot would never wait around to receive this or detect the change in the html, but would it find the form in obfuscated js?
Google's search spider claims that it can run some/most JavaScript when it evaluates a page, so I think it is reasonable to expect that at least some spam bots can do this now, and more so in the future.
Additionally, some spam bots are actually real people working for a pittance, using real browsers, so overall this will not work in the long term.
Related
Kindly looking to hide code from view code / inspect element is this safe to use ? I saw this anser here How to hide form code from view code/inspect element browser?
eval(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c--)
{d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--)
{if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),
k[c])}}return p}('(3(){(3 a(){8{(3 b(2)
{7((\'\'+(2/2)).6!==1||2%5===0){(3(){}).9(\'4\')()}
c{4}b(++2)})(0)}d(e){g(a,f)}})()})();',17,17,'
||i|function|debugger|20|length|if|try|constructor
|||else|catch||5000|setTimeout'.split('|'),0,{}))
In an answer about as useful as the question,
"No".
Most of us can't read the code because it is packed/obfuscated, and won't invest the time to try to read it.
If you're asking if it will prevent the user from opening the Developer Tools, then I don't know, because that would require me trying to run the code, which I'm not going to do, since I can't read the code and it could be malicious.
If you're asking if it will prevent someone from obtaining the rest of the code on your website, then no, it will not. A determined user could use curl or one of several other tools to retrieve the raw HTML or Javascript.
If you're asking if the code pasted above is secure because it is packed, then no, it is not. A determined user could quite easily analyze the code by hand and, once analyzed, write something to reverse engineer the packed code (that's assuming it uses an unknown packer -- if it uses a well-known packer, then someone has probably already written something to reverse it).
Is there a way to prevent the theft of a website's code?
One can never fully block a determined user from analyzing your code, only make things more annoying from them.
Simply using a minifier/uglifier on Javascript is usually enough to make the code mostly worthless to try to steal, since the cost of trying to analyze, rewrite it and further develop it is usually comparable to the cost of writing the same code from scratch.
This question already has answers here:
How can I prevent javascript code theft?
(7 answers)
Closed 6 years ago.
I made many javascripts for my blogger after hard work. So, I don't want anyone steal my codes, can I do that?
I tried obfuscate and encode from many websites, but anyone can easily steal it after that, So it just slow my website.
I need really solution : )
You can't. The only thing you can do is make your code harder to read by minimizing it, and otherwise obfuscating it. The code is sent to the client; you must assume they'll try to read it.
If you visit a website and the page is already "constructed", it means they used a server side language/framework to create the page before it was sent.
Javascript files are shown publicly, and sent directly to the client, so there's no way you can prevent them from being viewed. You had the right idea trying to obfuscate it, as that's the only solution, you just need to find the right obfuscater. In my opinion, you shouldn't even obfuscate them, as most scripts are written in a matter of minutes, it wouldn't make much sense for somebody to steal yours. If you really need to do so, then a quick google search returns this.
No, you can't. At the end of the day, the user can look at any javascript that is being run on the client. If you're doing anything that is business sensitive (such as connecting to databases, etc), that should take place on the server, so that users can't see it. Client-side JavaScript is intended to work with data that the user can see anyway, so it's not important for it to be obfuscated.
If you're just jealous that someone is going to to use your code, well.. Tough luck. Though I should say that in all likelihood nobody is interested in stealing your code. If they're going to reuse code, they'll download a plugin - not go through the source of random websites to see if there's anything they could scavenge.
People have mentioned obfuscation, but if that's your goal, you're doing something wrong. You should certainly minify your code - but that's to make it take less space, and thus load faster. Not to obfuscate it.
I'm trying to create a button on my webpage that, when clicked, embeds a particular div into an email and sends it out. I want the email's look and feel to be exactly like the webpage (minus the Javascript of course). That is, it should resemble the behavior of clicking file>share>email in Safari, except that I only want parts of the page and not the entire thing.
Is there any easy way to do this? Your help is very much appreciated.
Update:
So I ended up using AJAX to invoke a PHP script to do this, with the help of this library: http://pear.php.net/package/Mail_Mime
Still struggling with the CSS, but it looks pretty promising so far.
It sounds like you want to be able to have the browser talk to the user's email client (i.e., click on mailto:test#test.com and have this bit of HTML appear in the email client ready to be sent off). That won't happen with a regular browser and javascript, because the window doesn't know anything about what other programs are available or in use on the user's machine. You'll need to send the HTML to the server and have the server send the email. Also, I've been told that CSS styling for email is very difficult, so having the 'look and feel be exactly like the webpage' is going to be tougher than you probably think.
All that said, it is very doable. You just need to focus your effort on getting the HTML to the server and then deciding what library to use to send the email (depends on the language). That's only half the battle, though, as you'll need to work just as hard to style it and test it on a variety of email clients (I assume). I've never done CSS for email before, but I'm pretty sure that's what's generally involved.
My user is filling out a small form (just the email address) and I send this data to the server via javascript. I send the form, then clear the data from the fields.
Is it bad practice to simply give the user a js alert like alert('Your email has been added') as opposed to adding markup to display the message? I don't see it often today, so I'm wondering if it reflects some perception that using alerts isn't good. It makes the code much easier though, and I wonder why not!
And a side question, is it possible to just style this alert so it doesn't look so bad?
alert interrupts the user in whatever he was doing. That's not good and should only be done if it is absolutely necessary. An alert is not necessary, because the user has only one way to continue anyway.
It's not a very pleasant user experience when popup alerts keep appearing. Annoying as they interrupt what you are doing and you have to click on a button to carry on what you are doing. Excessive use makes it very unlikely that they will ever be read, causing big problems when something actually important comes up or the user has to make a choice.
Having more sophisticated feedback in the interface creates a much better experience.
Since you tagged this with jquery
$('#my-form').prepend('<p class="notice">Your email has been added</p>');
Was that really so hard?
If the main purpose of your page is to collect the email address I think it is perfectly valid to use an alert box.
I think the main reason you don't see this practise any longer, is that you have limited possibility to style the alert box.
I.e. it is not very Web 2.0
"And a side question, is it possible to just style this alert so it doesn't look so bad?"
Nope. And you can't change the title, design or anything like that, it's purely browser dependant!
I for one find it annoying when alerts pop up left right and centre, they're modal so you HAVE to click on them and while they were used a lot for that back in the day, these days it's generally much more accepted to write something into the web page. This has a number of advantages over an alert dialog:
You can skin it to suit your needs entirely
It doesn't annoy the user as much
Sometimes browsers these days can prevent sites from displaying alert dialogs at all (because they're so annoying)
An alert dialog disappears as soon as you click OK, you have to remember what it was moaning about or what it said. If it's built into the page then this information remains there for you to see.
If you genuinely need a modal-like dialog box these days (and for this case I'd say you didn't) it's far more common to use a JS library to emulate one. That way you can get the exact behaviour you want, it can look in keeping with the web page and can't be turned off by the browser.
alert() is largely seen as a non-graceful solution in terms of UI design these days. With that in mind, it really comes down to the environment - if it's a public facing consumer website, I avoid using alert() whenever possible as it disrupts the user's flow. If it's a backend-style corporate website, screw it, an alert can work fine there (but still use your judgement, lightweight markup never hurt anyone).
They're annoying, break the flow and personally I think they're only appropriate for 'alerting' users to something. Something like a message to inform you that you've been registered which is more 'confirmation. and the expectation in these Web 2.0 days is that such things appear in a more permanent form on the main webpage/ GUI.
In my opinion it's quite obtrusive as it blurs the difference between harmless web error messages (for example, you forgot to enter your password!) and more serious application errors.
Also if you don't handle them properly, you can't get 3-4 consecutive errors which is extremely annoying.
It's easy and quick to implement however, gets the user attention, and guarantees they won't be able to do anything until they have seen and pressed ok on the error message.
As for styling, you can't. But take a look at jGrowl, it has a really nice way of doing error messages.
The site I'm working on displays some proprietary 3rd party data that's quite valuable. As such they want to stop people copying and pasting their information. They understand that, of course, there's nothing we can do to stop users just writing down info or printing it off, but they want to make it as difficult as possible for their data to be taken. The other big concern is performance. The site sees a healthy amount of activity, so keeping it snappy is a big deal.
I was hoping to get a bit of feedback from you guys on the best way of accomplishing this
Some potential solutions that have been suggested:
Use a bit of javascript to stop users hitting ctrl / right clicking (irritating and won't stop more advanced users)
Use flex (very slow, but very safe since the data is binary)
Create or find some funky html to image converter and display the data as images
Your thoughts and opinions are very welcome.
Thanks in advance!
Charge the users for access to the information.
You can try all sorts of code workarounds, but you really aren't going to stop anyone who is determined. By charging, you limit access to people who really need the information and if they copy it, then at least you've been reimbursed. It also filters out a lot of the people who would use it maliciously. Also, put a legal notice on the information detailing how it can be used so that you can follow up copiers with legal action if necessary.
This really sounds like a serious problem with the origins of the question. If this is something that shouldn't be easy to copy, why is it visible at all?
If its really proprietary, why is it a good idea to post it on the web?
Seems that an internal webpage would be more appropriate.
It is a tricky situation, since this is the web...
You could use a very small bit of flash to display the sensitive data, which you'd have complete control over, and if it's small, shouldn't hurt your download times. This would probably be my preferred method.
Option #3 would stop people from copying and pasting, but it wouldn't stop them from downloading the image. I'm not sure if that matters to you.
Do you need to serve audiences that have javascript turned off? If not, you could use AJAX to pull the sensitive information in the first place, then use a script to stop them from copying that div or whatever.
You might want to check out Tynt Tracer. It doesn't prevent copying, but at least allows you to track where it's going...in part anyway.
You might look at the option 1, as a "bare minimum" way of doing it, but admittedly it isn't a great option, as simply disabling JS gets around it.
Your third idea would also work, but you can actually make it easier to save by going to the image and the way they are stored in temporary internet files.
Also, as a side note, to prevent printing you might want to specify a print only CSS that hides all content.
body {display:none;}
It isn't perfect, but again stops the casual user from printing.
Charging money for the content is a good answer, but I'm guessing you're already charging for the content.
#2 is clearly the most secure option, and the most flexible, allowing you to really punish yourself as much as possible as well (do things like implement over the wire encryption etc...) So it should come as no surprise it is also the most expensive to implement.
Given, someone can just decompile your code and inspect memory, but at that point, it is doubtful you are going to stop anyone.
Offer the information for download in password protected pdf, where the only thing that they can do is to view it, no printing, copy paste, etc. Although you can't stop a print screen. Primo PDF can do that for you and is free. http://www.primopdf.com/
They key here is the that effort it takes to bypass any solution you choose, is greater than the value of the information you are trying to protect from being copied.