CF-Hash attribute and script mysteriously added to mailto links
I have a development site and production site:
I have a mailto email link at the bottom, the php source code is ex
-
Cloudflare hides the email address to prevent bots from scraping them from web pages.
If you are a normal web user rather than a bot you will be running JavaScript. Cloudflare inject JavaScript which unscrambles the email addresess.
Some web pages wont allow inline JavaScript to run and thus end users cant see the email addresses.
Consider varying the Content_Security-Policy meta tag emitted by the website to allow the running of inline JavaScript.
e.g. see use of 'unsafe-inline';
"As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example."
More useful information on this here : https://developer.chrome.com/extensions/contentSecurityPolicy
讨论(0) -
Couldflare email de-obfuscation in different languages:
Javascript
function cfDecodeEmail(encodedString) { var email = "", r = parseInt(encodedString.substr(0, 2), 16), n, i; for (n = 2; encodedString.length - n; n += 2){ i = parseInt(encodedString.substr(n, 2), 16) ^ r; email += String.fromCharCode(i); } return email; } console.log(cfDecodeEmail("543931142127353935313e352e7a373b39")); // usagePython
def cfDecodeEmail(encodedString): r = int(encodedString[:2],16) email = ''.join([chr(int(encodedString[i:i+2], 16) ^ r) for i in range(2, len(encodedString), 2)]) return email print( cfDecodeEmail('543931142127353935313e352e7a373b39') ) # usagePHP
function cfDecodeEmail($encodedString){ $k = hexdec(substr($encodedString,0,2)); for($i=2,$email='';$i<strlen($encodedString)-1;$i+=2){ $email.=chr(hexdec(substr($encodedString,$i,2))^$k); } return $email; } echo cfDecodeEmail('543931142127353935313e352e7a373b39'); // usageGO
package main import ( "bytes" "strconv" ) func cf(a string) (s string) { var e bytes.Buffer r, _ := strconv.ParseInt(a[0:2], 16, 0) for n := 4; n < len(a)+2; n += 2 { i, _ := strconv.ParseInt(a[n-2:n], 16, 0) e.WriteString(string(i ^ r)) } return e.String() } func main() { email := cf("543931142127353935313e352e7a373b39") // usage print(email) print("\n") }C++
#include <iostream> #include <string> using namespace std; string cfDecodeEmail(string encodedString); int main() { cout << cfDecodeEmail("543931142127353935313e352e7a373b39") << endl; } string cfDecodeEmail(string encodedString) { string email; char xorKey = stoi( encodedString.substr(0, 2), nullptr, 16); for( unsigned i = 2; i < encodedString.length(); i += 2) email += stoi( encodedString.substr(i, 2), nullptr, 16) ^ xorKey; return email; }C
using System; public class Program { public static string cfDecodeEmail(string encodedString) { string email = ""; int r = Convert.ToInt32(encodedString.Substring(0, 2), 16), n, i; for (n = 2; encodedString.Length - n > 0; n += 2) { i = Convert.ToInt32(encodedString.Substring(n, 2), 16) ^ r; char character = (char)i; email += Convert.ToString(character); } return email; } public static void Main(string[] args) { Console.WriteLine(cfDecodeEmail("543931142127353935313e352e7a373b39")); // usage } }
Source
讨论(0) -
This isn't related to ColdFusion. In this code,
cf-hashis an attribute of aSCRIPTtag (plain HTML). Searching on 'cf-hash="f9e31" gets a lot of similar code out there. Found this link that points to it possibly being a CloudFlare Email Protection script. That would be something running on your production server that's not in your local development environment.讨论(0) -
CloudFlare obfuscates your email address by default. If you want to ignore obfuscation for a email, just wrap them in HTML comment tags like this. CloudFlare will ignore these.
<!--email_off-->EMAIL ADDRESS<!--/email_off-->Source: http://roaringapps.com/blog/cloudflare-email-obfuscation/
讨论(0)
加载中...
- 热议问题