问题
I have a development site and production site:
I have a mailto email link at the bottom, the php source code is exactly as follows:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br/>
<a href='mailto:mail@example.com'>mail@example.com</a>
<br/>
<a href='tel:+13334445555'>333 444 5555</a>
</p>
</section>
Everything is normal on my development site, the produced html is as follows:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br>
<a href="mailto:mail@example.com">mail@example.com</a>
<br>
<a href="tel:+13334445555">333 444 5555</a>
</p>
</section>
Then mysteriously on my production site some javascript is being added my my mailto link (and only mailto links, in this case just the one but I have added more and the script is added to them as well) Here is the html output on the production site:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br>
<a href="mailto:mail@example.com">mail@example.com
<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function() {for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */
</script>
</a>
<br>
<a href="tel:+13334445555">333 444 5555</a>
</p>
</section>
I have checked the code on my production server, this script is not there.
What could possibly be going on?
回答1:
This isn't related to ColdFusion. In this code, cf-hash is an attribute of a SCRIPT tag (plain HTML). Searching on 'cf-hash="f9e31" gets a lot of similar code out there. Found this link that points to it possibly being a CloudFlare Email Protection script. That would be something running on your production server that's not in your local development environment.
回答2:
CloudFlare obfuscates your email address by default. If you want to ignore obfuscation for a email, just wrap them in HTML comment tags like this. CloudFlare will ignore these.
<!--email_off-->EMAIL ADDRESS<!--/email_off-->
Source: http://roaringapps.com/blog/cloudflare-email-obfuscation/
回答3:
Here's how to decode couldflare's email obfuscation in different languages:
Javascript
function cfDecodeEmail(encodedString) {
var email = "", r = parseInt(encodedString.substr(0, 2), 16), n, i;
for (n = 2; encodedString.length - n; n += 2){
i = parseInt(encodedString.substr(n, 2), 16) ^ r;
email += String.fromCharCode(i);
}
return email;
}
console.log(cfDecodeEmail("543931142127353935313e352e7a373b39")); // usagePython
def cfDecodeEmail(encodedString):
r = int(encodedString[:2],16)
email = ''.join([chr(int(encodedString[i:i+2], 16) ^ r) for i in range(2, len(encodedString), 2)])
return email
print( cfDecodeEmail('543931142127353935313e352e7a373b39') ) # usage
PHP
function cfDecodeEmail($encodedString){
$k = hexdec(substr($encodedString,0,2));
for($i=2,$email='';$i<strlen($encodedString)-1;$i+=2){
$email.=chr(hexdec(substr($encodedString,$i,2))^$k);
}
return $email;
}
echo cfDecodeEmail('543931142127353935313e352e7a373b39'); // usage
GO
package main
import (
"bytes"
"strconv"
)
func cf(a string) (s string) {
var e bytes.Buffer
r, _ := strconv.ParseInt(a[0:2], 16, 0)
for n := 4; n < len(a)+2; n += 2 {
i, _ := strconv.ParseInt(a[n-2:n], 16, 0)
e.WriteString(string(i ^ r))
}
return e.String()
}
func main() {
email := cf("543931142127353935313e352e7a373b39") // usage
print(email)
print("\n")
}
C++
#include <iostream>
#include <string>
using namespace std;
string cfDecodeEmail(string encodedString);
int main()
{
cout << cfDecodeEmail("543931142127353935313e352e7a373b39") << endl;
}
string cfDecodeEmail(string encodedString)
{
string email;
char xorKey = stoi( encodedString.substr(0, 2), nullptr, 16);
for( unsigned i = 2; i < encodedString.length(); i += 2)
email += stoi( encodedString.substr(i, 2), nullptr, 16) ^ xorKey;
return email;
}
C
using System;
public class Program
{
public static string cfDecodeEmail(string encodedString)
{
string email = "";
int r = Convert.ToInt32(encodedString.Substring(0, 2), 16), n, i;
for (n = 2; encodedString.Length - n > 0; n += 2)
{
i = Convert.ToInt32(encodedString.Substring(n, 2), 16) ^ r;
char character = (char)i;
email += Convert.ToString(character);
}
return email;
}
public static void Main(string[] args)
{
Console.WriteLine(cfDecodeEmail("543931142127353935313e352e7a373b39")); // usage
}
}
Source
回答4:
Cloudflare hides the email address to prevent bots from scraping them from web pages.
If you are a normal web user rather than a bot you will be running JavaScript. Cloudflare inject JavaScript which unscrambles the email addresess.
Some web pages wont allow inline JavaScript to run and thus end users cant see the email addresses.
Consider varying the Content_Security-Policy meta tag emitted by the website to allow the running of inline JavaScript.
e.g. see use of 'unsafe-inline';
"As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example."
More useful information on this here : https://developer.chrome.com/extensions/contentSecurityPolicy
来源:https://stackoverflow.com/questions/27513190/cf-hash-attribute-and-script-mysteriously-added-to-mailto-links