how to protect email adresses ?

You should use a server side filter when outputting HTML data. There is nothing in the editor for it at this moment.

I would also be very interested in a fck-solution (no server-side post processing) to this problem. At least for the next version!! Maybe (version 2.6) you could change the following lines (108-124) in the file "editor/dialog/fck_link/fck_link.js"

oParser.CreateEMailUri = function( address, subject, body )
{
   var sBaseUri = 'mailto:' + address ;

   var sParams = '' ;

   if ( subject.length > 0 )
      sParams = '?subject=' + encodeURIComponent( subject ) ;

   if ( body.length > 0 )
   {
      sParams += ( sParams.length == 0 ? '?' : '&' ) ;
      sParams += 'body=' + encodeURIComponent( body ) ;
   }

   return sBaseUri + sParams ;
}

such that the email address gets encoded.

dev site

The easiest way would be the following: Replace the line

return sBaseUri + sParams;

by the lines

var uri = sBaseUri + sParams;
  var urj = '';
  for ( var i = 0; i < uri.length; i ++ ) {
    if ( i > 0 ) { urj += ','; }
    urj += uri.charCodeAt(i);
  }
  return 'javascript:location.href=String.fromCharCode(' + urj + ')';

The problem: If afterwards you would like to edit the email-link, you get as protocol "other" and as url "javascript:location.href=String.fromCharCode(109,97,105,108,116,111,58,...)" which could no more be detected as an email link.

The solution: However, if you further modify the javascript file, we could re-detect the url as an email link. I'm talking about the function LoadSelection(), where we actually search for the mailto: "protocol". We should change this, such that we search for the javascript "protocol" and a url that matches "location.href=String.fromCharCode(INTEGERLIST)", where INTEGERLIST is a comma-separated list of integers. Then we can get the actual url by simply executing String.fromCharCode(INTEGERLIST) and if this starts by mailto:, we can call the oParser.ParseEMailUrl function. I haven't implemented this.

The drawback: Urls get very long, as each char would take 2-4 chars after encoding. Second drawback, it works only for ascii chars. Possible third drawback, some spambots may already scan the code for such fromCharCode(INTEGERLIST) encodings.

// Assume the html code is stored in the variable $html
$dom = new DOMDocument();
@$dom->loadHTML($html);

// Get all mail links in the html code
$xpath = new DOMXPath($dom);
$links = $xpath->evaluate('//a[starts-with(@href,"mailto:")]');

for ( $i = 0; $i < $links->length; $i ++ ) {
  $link = $links->item($i);
  $href = $link->getAttribute('href');

  $new = 'javascript:location.href=String.fromCharCode(';
  for ( $j = 0; $j < strlen($href); $j ++ ) {
    if ( $j > 0 ) { $new .= ','; }
    $new .= ord(sub str($href, $j, 1)); // !!IMPORTANT Remove the space between "sub" and "str" (the forum did not accept it as one word)
  }
  $new .= ');';

  // This works, as in php the objects would be stored in variables by reference
  $link->setAttribute('href', $new);
}

$html = $dom->saveHTML();

<p><a href="mailto:mail@fckeditor.net">Email</a>, <a href="mailto:mail@fckeditor.net?subject=fck%20is%20great">Email with subject</a>, <a href="mailto:mail@fckeditor.net?subject=fck%20is%20great&amp;body=greets">Email with subject and body</a></p>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p><a href="javascript:location.href=String.fromCharCode(109,97,105,108,116,111,58,109,97,105,108,64,102,99,107,101,100,105,... 116,111,114,46,110,101,116);">Email</a>, <a href="javascript:location.href=String.fromCharCode(109,97,105,108,116,111,58,109,97,105,108,64,102,99,107,101,100,105,... 116,111,114,46,110,101,116,63,115,117,98,106,101,99,116,61,102,99,107,37,50,48,105,115,37,50,48,103,114,101,97,116);">Email with subject</a>, <a href="javascript:location.href=String.fromCharCode(109,97,105,108,116,111,58,109,97,105,108,64,102,99,107,101,100,105,... 116,111,114,46,110,101,116,63,115,117,98,106,101,99,116,61,102,99,107,37,50,48,105,115,37,50,48,103,114,101,97,116,38,... 98,111,100,121,61,103,114,101,101,116,115);">Email with subject and body</a></p></body></html>

Me personally, I would prefer not to use the simple fromCharCode technique described above. In my opinion, a better solution would be the following: Ask the user to add a javascript function to his frontend output, i.e.

function mto(domain,name,subject,body) {
  location.href = 'mailto:' + name + '@' + domain + '?subject=' + subject + '&body=' + body;
}

To make it even more "ciphered" you could use something like this

function mto(domain,name,subject,body) {
location.href = String.fromCharCode(110-1,90+7,110-5,100+8,100+16,120-9,60-2) + name + String.fromCharCode(70-6) + domain +  '?subject=' + subject + '&body=' + body;
}

You just have to make sure, that the simple algebraic operations in the fromCharCode INTEGERLIST correspond to (109,97,105,108,116,111,58) for the "mailto:" part and (64) for the @-symbol.

Then we could adapt the "editor/dialog/fck_link/fck_link.js" script, such that it returns the url "javascript:mto('fckeditor', 'mail', 'fck is great', 'greets')". This shouldn't be hard to implement. And as written above, we would also have to adapt the script, such that it recognizes the uri "javascript:mto..." as a mail link. Maybe we could add a configuration that can be used to enable/disable the encoding.

The drawback: The user has to add a javascript-function in its frontend.

The advantage: The length of the html code would only slightly increase. By customizing also the name of the javascript function (mto, jsmailto, mt, m, anything_no_spambot_would_detect, etc.), we can further improve the script such that it won't be detected by a spambot.

How do you think about that?

What you are saying is that if an email address is obfuscated by the server, it becomes un-editable in the final HTML. If the editor could reverse the encoding and then encode again, editing encoded email addresses would become transparent. Right?

This is what's called security through obscurity. It would be a bad assumption to think that spammers are not capable of parsing a sequence of comma-separated numbers on an HTML page.

Hi A.M.

I never thought that spambots would not be capable of parsing a sequence of comma-separated numbers on an HTML page. Of course you are right, the encoding is very easy. It is like the famous Cesar, or ROT13. Yes, it's important to note: This form of encoding can easily be decoded! But isn't it better than simply writing a "mailto:info@company.com" href? And would a spambot really search for obfuscated links and decode them? There are too many undecoded email-addresses in the Internet such that the time it would take for a spambot to perform the parsing for INTEGERLISTs (and other possibilities to obfuscate) and the resources it takes to decode them is not worthting. I'm talking about an automatic spambot that automatically "spiders" through the net and fetches email-addresses. I am not talking about a human, who would of course be able to decode the email address.

As far as I know, it is not possible to encode something that (without any knowledge) can only be decoded by non-spammers. So, the 100%-solution simply does not exist yet. Except by providing a formular to send the email, but this has many other drawbacks.

asuter wrote:But isn't it better than simply writing a "mailto:info@company.com" href? And would a spambot really search for obfuscated links and decode them?

It all depends on how many targets are there. If one does custom encoding on their own site, spammers won't bother. However, if something as widely-used as FCKeditor used such encoding, it would make it worthwhile for spammers to write a decoder.

asuter wrote:There are too many undecoded email-addresses in the Internet such that the time it would take for a spambot to perform the parsing for INTEGERLISTs (and other possibilities to obfuscate) and the resources it takes to decode them is not worthting.

This particular scheme doesn't require much to decode. You don't even have to parse HTML or JS code. A simple regular expression (e.g. /([0-9]+,[ \t]*)?[0-9]+/) will give you all comma-separated sequences on the page, which you can easily convert to obtain email addresses.

asuter wrote:As far as I know, it is not possible to encode something that (without any knowledge) can only be decoded by non-spammers. So, the 100%-solution simply does not exist yet. Except by providing a formular to send the email, but this has many other drawbacks.

No, it's not. The bottom line is that a human visiting the website should be able to read the address. If a spammer would use a JS interpreter, which are widely-available, they would be able to see anything a human would, no matter how convoluted would be the encoding.

Having said that, I will say that it's a neat idea. Webmasters of those sites that do use some form of encoding, such as name at domain, would be able to type an email address and not worry about the encoding. I would only add that if such mechanism is implemented, it would be good if it provided some flexibility to vary the encoding by site, so that it's not the same, which would be a bit of a speed bump for spammers.

Andre

I think the String.fromCharCode is a good startup for this. I would ask you to please open a ticket at our dev site with your proposal, and possible a patch for it. Then of course, some work must be done to the the reverse engineering for the encoded href when loading the dialog, but this is not a big issue.

This is not to say that it would be the solution to be implemented. We can also end up with things like <a href="javascript:window.location='mailto:'+['m','o','c','.','e','l','p','m','a','x','e','@','l','i','a','m'].reverse().join('')">, but it is a fact that spammers would just adapt their bots to whatever encoding procedure that becomes too diffused (by a famous WYSIWYG editor).

Maybe some random thing could come out?

A.M. wrote:Having said that, I will say that it's a neat idea. Webmasters of those sites that do use some form of encoding, such as name at domain, would be able to type an email address and not worry about the encoding. I would only add that if such mechanism is implemented, it would be good if it provided some flexibility to vary the encoding by site, so that it's not the same, which would be a bit of a speed bump for spammers.

Agree!! Which is why I also brought up the idea of writing a fully customizable javascript function (function name, simple algebraic operations, order of parameters, etc.), which gets called upon a click on an email-link and which then generates the "location.href=mailto:info@company.com" command. Do you have any improvements or better ideas? In my opinion it would be great, if the future CKEditor has such a feature. Maybe it would be nice if the editor generates the javascript function automatically - such that no two functions are similar. But of course this leads to the problems discussed above, the spammers would know the technique the editor generates these functions and so they can adapt their scanners.

fredck wrote:I would ask you to please open a ticket at our dev site with your proposal, and possible a patch for it.

Done. Ticket #2220.

I've made a patch file implementing a very new feature to encode (obscure) email links. It degrades well, that is, the link dialog recognizes an href with "mailto:xxx" still as an email link. The patch will encode and decode the email links, such that you (or your clients) can edit the links without any knowledge about the encoding technique.


Description

The new technique accepts a pattern for the href-attribute of an email link. The pattern has some tags (placeholders) that will be used to replace the given elements like "name", "domain", "subject" and "body". The placeholder "name" would be defined by the part before the @-symbol of the email address, and the placeholder "domain" would be defined by the part after the @-symbol.

There are two possibilities for the placeholders: Either you write {placeholder}, which gets replaced by the value of the placeholder, or {{placeholder}} which gets replaced by the value of the placeholder surrounded by single quotes (single quotes in the values get escaped).

For example, the pattern to build the standard "mailto:" href would look like

mailto:{name}@{domain}?subject={subject}&body={body}

You should know, that you can implement your own javascript function that handles the mail link (a so called "mail-link-handler") in the frontend. That is, you can for example write the function

function mto(domain,name,subject,body) {
  location.href = 'mailto:' + name + '@' + domain + '?subject=' + subject + '&body=' + body;
}

and define the corresponding pattern

javascript:mto({{domain}},{{name}},{{subject}},{{body}})

You are completely free in writing another function name or in changing the order of the attributes. You are also free in implementing the mail-link-handler like

function mlh(d,n,b,s){
  eval("loca" + "tion.hr" + "ef='ma" + "ilt" + "o:'+n+'@'+d+'?subject='+s+'&body='+b;");
}

and corresponding pattern

javascript:mlh({{domain}},{{name}},{{body}},{{subject}})

Note that the mail-link-handler has to be present in the frontend, that is where you finally output the content.


Installation / Implementation

Replace the file "editor/dialog/fck_link/fck_link.js" by the unzipped version of the attached file fck_link.js.tar.gz.

Add a new configuration value by simply writing somewhere in the fckconfig.js (or in your FCKConfig.CustomConfigurationsPath file) the following line

FCKConfig.MailLinkPattern = 'javascript:mt({{domain}},{{name}},{{body}},{{subject}})' ;

Make sure that the mail-link-handler defined in the pattern (in the example "mt") is also present in the frontend!!!

I have used a javascript for several years to cloak email addresses that I put on several websites. it has worked great. And I was looking for something similar that i could use for FCKeditor to protect email addresses entered into text using FCKeditor, when I found your patch.

I downloaded it, installed it, and it seems to work fine... except for one thing. why create a link with a title equal to the email address? So, I'm wondering if I missed something. I do notice that the information asked for by fckeditor when creating an email link does not ask for the name of the person you are sending the email to.

what I am saying is that when I use the FCKeditor email link with your patch, I get :

<p><a href="javascript:mt('yyy.com','xxx','testing','test')">xxx@yyy.com</a></p>

what I would like to see (and this is what I did when I used my homegrown javascript) is this:

<p><a href="javascript:mt('yyy.com','xxx','testing','test')">Jane Doe</a></p>

so you see Jane Doe instead of xxx@yyy.com as the title of the link.

is there a way to do this with your patch?

@lynne007, just type the name in the editor. Then select it and open the link dialog. The selected text will get linked.

fredck wrote:@lynne007, just type the name in the editor. Then select it and open the link dialog. The selected text will get linked.

@lynne007, maybe a good option is transforming "name@example.com" to "name@...com" in such cases. But I think you will have people send messages to "name@...com" when reading it, instead of clicking on it :/

fredck wrote:@lynne007, maybe a good option is transforming "name@example.com" to "name@...com" in such cases. But I think you will have people send messages to "name@...com" when reading it, instead of clicking on it :/

viewtopic.php?f=6&t=9710&st=0&sk=t&sd=a&start=10#p25617


Installation / Implementation

fck_link.zip

FCKConfig.MailLinkPattern = 'javascript:mt({{domain}},{{name}},{{body}},{{subject}})' ;
FCKConfig.MailImage = '<img src="/sites/all/lynne/i/mailbox.gif">';

viewtopic.php?f=6&t=10096

http://dev.fckeditor.net/changeset/2157

http://dev.fckeditor.net/ticket/2220

Adrian, I am so glad to see this as part of FCKeditor. Thanks for doing this work.

but.. I can't get it to work.

in fckeditor 2.6.4, in fckconfig.js, there is a statement:

FCKConfig.EMailProtectionFunction = 'mt(NAME,DOMAIN,SUBJECT,BODY)' ;

I did a search of everything unzipped in 2.6.3, and can't find where the mt function is defined. Can someone tell me where this is defined?

thanks.

can someone help? I've installed the fckeditor 6.4 in my drupal installation and this feature does not work and i don't know why. It just encodes the email link the old way.

Hi lynne007

You have to define the javascript function mt by yourself. The function has to be available on the page where you finally put the content (i.e. on the frontend). I don't know drupal that good, but I guess you have to modify the template that is responsible for the frontend. Simply add the following into the head section:

<script type="text/javascript">
function mt(n,d,s,b) {
  location.href = "mailto:" + n + "@" + d + "?subject=" + encodeURI(s) + "&body=" + encodeURI(b);
}
</script>

Furthermore, in order to use this type of protection, you have to set the following in the configuration

FCKConfig.EMailProtection = 'function'

Hi,

is there any way to prepend such mailto-links with a noscript tag?
With that it would at least be possible to notify users that the mailto-links only work with JS, when they have javascript disabled.

Thanks in advance, Joe.