Hide HTML Source Code

ad · May 29, 2007

Hiding HTML source code is possible. It requires JavaScript, but there
is no need to encrypt HTML output or do anything else which would
decrease performance. I discovered this about five years ago, but at
that time it would have been considered bad practice in regards to
cross-browser-compatibility. Now that AJAX has become a programming
standard, the time has come to let this loose on the the public. I
won't tell you how I do it, but I will provide you with a working
example.

http://www.smart-cgi.com/api/

If anyone is able to crack this, I would appreciate the feedback.

Albert Dominguez

Benjamin Niemann · May 29, 2007

Hiding HTML source code is possible. It requires JavaScript, but there
is no need to encrypt HTML output or do anything else which would
decrease performance. I discovered this about five years ago, but at
that time it would have been considered bad practice in regards to
cross-browser-compatibility. Now that AJAX has become a programming
standard, the time has come to let this loose on the the public. I
won't tell you how I do it, but I will provide you with a working
example.

http://www.smart-cgi.com/api/

If anyone is able to crack this, I would appreciate the feedback.

http://www.smart-cgi.com/api/rss.php?url=http://rss.news.yahoo.com/rss/topstories

so what?

David Dorward · May 29, 2007

Hiding HTML source code is possible.

Not effectively

It requires JavaScript

Which is run by the browser, so a DOM Inspector can extract the markup
in about two clicks.

, but there is no need to encrypt HTML output or do anything else which would
decrease performance.

Correct. Hiding the HTML source is pointless.

I discovered this about five years ago, but at
that time it would have been considered bad practice in regards to
cross-browser-compatibility.

.... and still is. Hiding all your content from search engines and
users of Opera Mobile is generally considered a bad idea.

Now that AJAX has become a programming
standard
*snigger*

, the time has come to let this loose on the the public. I
won't tell you how I do it, but I will provide you with a working
example.

http://www.smart-cgi.com/api/

Oh dear

If anyone is able to crack this, I would appreciate the feedback.

Two clicks:

<html lang="en" dir="ltr" xml:lang="en" xmlns="http://www.w3.org/1999/

xhtml"> said:
<title>Smart-CGI.com</title><meta content="text/html; charset=UTF-8"

http-equiv="Content-Type"/><link type="text/css" href="./default.css"
rel="stylesheet"/></head><body onload="getNav('http://
rss.news.yahoo.com/rss/topstories', urls);getXml('http://
rss.news.yahoo.com/rss/topstories');return false;"><div
class="headmast"><a href="../"><img style="border: medium none ;
padding-left: 8px;" alt="Smart-CGI.com" src="../img/logo.gif"/></a></
div><div id="nav"><div class="navWrapper"><h1 class="navBlur">Top
Stories</h1><h1 class="navFocus"><a onclick="getNav(this.id,
urls);getXml('http://rss.news.yahoo.com/rss/world');return false;"
id="http://rss.news.yahoo.com/rss/world" class="nav"
href="javascript:">World News</a></h1><h1 class="navFocus"><a
onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/
us');return false;" id="http://rss.news.yahoo.com/rss/us" class="nav"
href="javascript:">U.S. News</a></h1><h1 class="navFocus"><a
onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/
politics');return false;" id="http://rss.news.yahoo.com/rss/politics"
class="nav" href="javascript:">Politics</a></h1><h1
class="navFocus"><a onclick="getNav(this.id, urls);getXml('http://
rss.news.yahoo.

(and I won't bother pasting the rest)

Jukka K. Korpela · May 29, 2007

Scripsit David Dorward:

Hiding all your content from search engines and
users of Opera Mobile is generally considered a bad idea.

Not necessary.

People who try to hide HTML source typically produce crap pages, so hiding
them from as many user agents as possible tends to raise the overall quality
of the Web.

El Kabong · May 29, 2007

And the script begins with:

function clickIE () { if (document.all) return false; }
function clickNS (e) { if (document.layers || (document.getElementById &&
!document.all)) { if (e.which == 2 || e.which == 3) return false; } }
function getXml (url) {
etcetera, etcetera, etcetera...

David Dorward said:
Not effectively

Which is run by the browser, so a DOM Inspector can extract the markup
in about two clicks.

Correct. Hiding the HTML source is pointless.

... and still is. Hiding all your content from search engines and
users of Opera Mobile is generally considered a bad idea.

Oh dear

Two clicks:

<html lang="en" dir="ltr" xml:lang="en" xmlns="http://www.w3.org/1999/

http-equiv="Content-Type"/><link type="text/css" href="./default.css"
rel="stylesheet"/></head><body onload="getNav('http://
rss.news.yahoo.com/rss/topstories', urls);getXml('http://
rss.news.yahoo.com/rss/topstories');return false;"><div
class="headmast"><a href="../"><img style="border: medium none ;
padding-left: 8px;" alt="Smart-CGI.com" src="../img/logo.gif"/></a></
div><div id="nav"><div class="navWrapper"><h1 class="navBlur">Top
Stories</h1><h1 class="navFocus"><a onclick="getNav(this.id,
urls);getXml('http://rss.news.yahoo.com/rss/world');return false;"
id="http://rss.news.yahoo.com/rss/world" class="nav"
href="javascript:">World News</a></h1><h1 class="navFocus"><a
onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/
us');return false;" id="http://rss.news.yahoo.com/rss/us" class="nav"
href="javascript:">U.S. News</a></h1><h1 class="navFocus"><a
onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/
politics');return false;" id="http://rss.news.yahoo.com/rss/politics"
class="nav" href="javascript:">Politics</a></h1><h1
class="navFocus"><a onclick="getNav(this.id, urls);getXml('http://
rss.news.yahoo.

(and I won't bother pasting the rest)

And the referenced script begins with:

function clickIE () { if (document.all) return false; }
function clickNS (e) { if (document.layers || (document.getElementById &&
!document.all)) { if (e.which == 2 || e.which == 3) return false; } }
function getXml (url) {
etcetera, etcetera, etcetera...

Requires a third click.

Back to the drawing board, friend.

El

David Dorward · May 29, 2007

Requires a third click.

It was two, I counted.

El Kabong · May 29, 2007

Oh, yeah. Sorry, it's hard to count when I've got my shoes on.

El

ad · May 29, 2007

http://www.smart-cgi.com/api/rss.php?url=http://rss.news.yahoo.com/rs...

so what?

Try this again:

http://www.smart-cgi.com/api/rss.php?url=http://rss.news.yahoo.com/rss

and no I haven't moved, renamed or changed the output of this page.

JWS · May 29, 2007

http://www.smart-cgi.com/api/

If anyone is able to crack this, I would appreciate the feedback.

Just clicking file, save page as, web page complete (in Mozilla
Seamonkey) reveals the whole sorry mess. No cracking is involved.

Jonathan N. Little · May 29, 2007

Hiding HTML source code is possible. It requires JavaScript, but there
is no need to encrypt HTML output or do anything else which would
decrease performance. I discovered this about five years ago, but at
that time it would have been considered bad practice in regards to
cross-browser-compatibility. Now that AJAX has become a programming
standard, the time has come to let this loose on the the public. I
won't tell you how I do it, but I will provide you with a working
example.

http://www.smart-cgi.com/api/

If anyone is able to crack this, I would appreciate the feedback.
DUH!

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" dir="ltr" lang="en"><head><script src="./js.js" type="text/javascript"></script><script type="text/javascript" src="./hide.js"></script><title>Smart-CGI.com</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" href="./default.css" type="text/css"></head><body onload="getNav('http://rss.news.yahoo.com/rss/topstories', urls);getXml('http://rss.news.yahoo.com/rss/topstories');return false;"><div class="headmast"><a href="../"><img src="../img/logo.gif" alt="Smart-CGI.com" style="border: medium none ; padding-left: 8px;"></a></div><div id="nav"><div class="navWrapper"><h1 class="navBlur">Top Stories</h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/world" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/world');return false;">World News</a></h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.ne

ws.yahoo.com/rss/us" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/us');return false;">U.S. News</a></h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/politics" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/politics');return false;">Politics</a></h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/business" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/business');return false;">Business</a></h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/tech" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/tech');return false;">Technology</a></h1><h1 class="navFocus"><a href="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/science" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/science');return false;">Science</a></h1><h1 class="navFocus"><a hre
f="javascript:" class="nav" id="http://rss.news.yahoo.com/rss/sports" onclick="getNav(this.id, urls);getXml('http://rss.news.yahoo.com/rss/sports');return false;">Sports</a></h1></div></div><div id="out"><a href="http://news.yahoo.com/i/716"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/nws/th/main_142b.gif" alt="Yahoo! News: Top Stories" class="img"></a><h1 class="title"><a href="http://news.yahoo.com/i/716">Yahoo! News: Top Stories</a></h1><address class="copyright">Top Stories Tue, 29 May 2007 16:29:56 GMT </address><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rs...oo.com/s/ap/20070529/ap_on_go_pr_wh/us_darfur">Bush pressures Sudan with new sanctions

(AP)</a></h2><div>Tue, 29 May 2007 16:33:09 GMT</div><p></p><p><a href="http://us.rd.yahoo.com/dailynews/rs...oo.com/s/ap/20070529/ap_on_go_pr_wh/us_darfur"><img src="http://d.yimg.com/us.yimg.com/p/ap/...30&y=117&sig=Gids_0IhcZ7vGQo604sF4Q--" alt="President Bush waves as he departs the White House in Washington, Tuesday, May 29, 2007, after he ordered new U.S. economic sanctions to pressure Sudan's government to halt the genocide in Darfur. The president is traveling to the to the Federal Law Enforcement Training Center in Glynco, Ga. (AP Photo/J. Scott Applewhite)" align="left" border="0" height="117" width="130"></a>AP - President Bush ordered new U.S. economic sanctions Tuesday to pressure Sudan's government to halt the bloodshed in Darfur that the administration has condemned as genocide.</p><br clear="all"><p></p></div><div name="item" class="item"><h2><a href="http

://us.rd.yahoo.com/dailynews/rss/topstories/*http://news.yahoo.com/s/ap/20070529/ap_on_re_mi_ea/iraq">U.S.: 10 Memorial Day deaths in Iraq

(AP)</a></h2><div>Tue, 29 May 2007 16:18:48 GMT</div><p></p><p><a href="http://us.rd.yahoo.com/dailynews/rs...s.yahoo.com/s/ap/20070529/ap_on_re_mi_ea/iraq"><img src="http://d.yimg.com/us.yimg.com/p/rid...130&y=93&sig=10ysuM53nRuoQ_draYNjyQ--" alt="Iraqis ride past a damaged Sunni mosque in Baghdad May 29, 2007. At least 24 people were killed and 68 were wounded when a truck bomb exploded near Baghdad's largest Sunni Muslim mosque on Monday, police said. REUTERS/Ceerwan Aziz (IRAQ)" align="left" border="0" height="93" width="130"></a>AP - Ten American soldiers were killed in roadside bombings and a helicopter crash on Memorial Day, the military reported Tuesday, making May the deadliest month of the year for U.S. troops in Iraq.</p><br clear="all"><p></p></div><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rs...om/s/ap/20070529/ap_on_re_eu/russia_missile_t

est">Russian official boasts of new ICBM

(AP)</a></h2><div>Tue, 29 May 2007 16:01:27 GMT</div><p></p><p><a href="http://us.rd.yahoo.com/dailynews/rs...s/ap/20070529/ap_on_re_eu/russia_missile_test"><img src="http://d.yimg.com/us.yimg.com/p/afp...130&y=89&sig=wtf6LX3z8pdDTnTd_ceBlg--" alt="Russian President Vladimir Putin (R) speaks with First Deputy Prime Minister Sergei Ivanov during a meeting in March 2007. US Secretary of State Condoleezza Rice met President Vladimir Putin on a visit aimed at allaying Russian complaints of American interference in both the military and political spheres.(AFP/Pool/File/Dmitry Astakhov)" align="left" border="0" height="89" width="130"></a>AP - Russia on Tuesday test-launched a new intercontinental ballistic missile, apparently developed secretly, that a top government official said could penetrate any defense system, Russian news agencies reported.</p><br clear="al

l"><p></p></div><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rs...oo.com/s/ap/20070529/ap_on_el_pr/obama_health">Obama offers universal health care plan

(AP)</a></h2><div>Tue, 29 May 2007 16:20:17 GMT</div><p></p><p><a href="http://us.rd.yahoo.com/dailynews/rs...oo.com/s/ap/20070529/ap_on_el_pr/obama_health"><img src="http://d.yimg.com/us.yimg.com/p/ap/...130&y=94&sig=YY7ygBKWgzdywvw_miI5Ew--" alt="Democratic presidential hopeful U.S. Sen. Barack Obama, D-Ill., speaks during a Memorial Day reception with veterans, Monday, May 28, 2007, in Davenport, Iowa. (AP Photo/Charlie Neibergall)" align="left" border="0" height="94" width="130"></a>AP - Democratic presidential candidate Barack Obama on Tuesday offered a sweeping health care plan that would provide every citizen a means for coverage and calls on government, businesses and consumers to share the costs of the program.</p><br clear="all"><p></p></div><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rss/topstories/*http://news.yahoo.com/s/ap

/20070529/ap_on_bi_ge/economy">Consumer confidence rebounds in May

....

was ending her public campaign against the Iraq war with an
angry blast at Democrats, Republicans and "cowardly leaders"
who have abandoned U.S. troops indefinitely in Iraq.</p><br clear="all"><p></p></div><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rs...hoo.com/s/nm/20070529/pl_nm/worldbank_bush_dc">Bush may name World Bank chief this week: WHouse
(Reuters)</a></h2><div>Tue, 29 May 2007 14:23:32 GMT</div><p></p><p><a href="http://us.rd.yahoo.com/dailynews/rs...hoo.com/s/nm/20070529/pl_nm/worldbank_bush_dc"><img src="http://d.yimg.com/us.yimg.com/p/nm/...30&y=103&sig=P2DqS2g7bBRVdAf7IbqJVA--" alt="A view of a conference hall during the IMF and World Bank spring meeting in Washington, April 14, 2007. President Bush is likely to announce this week a candidate to replace World Bank President Paul Wolfowitz, who resigned after a storm of criticism over a salary increase for his companion, White House spokesman Tony Snow said on Tuesday. (Yuri Gripas/Reuters)" align="left" border="0" height="103" width="130"></a>Reuters - President George W. Bush is
likely to announce this week a candidate to replace World Bank
President Paul Wolfowitz, who resigned after a storm of
criticism over a salary increase for his companion, White House
spokesman Tony Snow said on Tuesday.</p><br clear="all"><p></p></div><div name="item" class="item"><h2><a href="http://us.rd.yahoo.com/dailynews/rs...com/s/nm/20070529/ts_nm/g8_climate_germany_dc">Merkel, Pelosi say world should unite on climate

....

Enough?

Benjamin Niemann · May 29, 2007

Try this again:

and no I haven't moved, renamed or changed the output of this page.

wget -O - -q --referer=http://www.smart-cgi.com/api/js.js \
http://www.smart-cgi.com/api/rss.php?url=http://rss.news.yahoo.com/rss/topstories

ad · May 29, 2007

wget -O - -q --referer=http://www.smart-cgi.com/api/js.js\.../api/rss.php?url=http://rss.news.yahoo.com/rs...

Auch schon erledigt. Danke!

Harlan Messinger · May 29, 2007

Hiding HTML source code is possible. It requires JavaScript, but there
is no need to encrypt HTML output or do anything else which would
decrease performance. I discovered this about five years ago, but at
that time it would have been considered bad practice in regards to
cross-browser-compatibility. Now that AJAX has become a programming
standard, the time has come to let this loose on the the public. I
won't tell you how I do it, but I will provide you with a working
example.

http://www.smart-cgi.com/api/

If anyone is able to crack this, I would appreciate the feedback.

Firefox's DOM Inspector--from the context menu for the HTML element,
Copy XML to get the following on the Windows clipboard:

<HTML lang="en" dir="ltr" xml:lang="en"
xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<SCRIPT type="text/javascript" src="./js.js"/>
<TITLE>
Smart-CGI.com </TITLE>
<META content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
<LINK type="text/css" href="./default.css" rel="stylesheet"/>
</HEAD>
<BODY onload="getNav('http://rss.news.yahoo.com/rss/topstories',
urls);getXml('http://rss.news.yahoo.com/rss/topstories');return false;">
<DIV class="headmast">
<A href="../">
<IMG style="border: medium none ; padding-left: 8px;"
alt="Smart-CGI.com" src="../img/logo.gif"/>
</A>
</DIV>
<DIV id="nav">
<DIV class="navWrapper">
<H1 class="navBlur">
Top Stories </H1>
<H1 class="navFocus">
<A
onclick="getNav(this.id,
urls);getXml('http://rss.news.yahoo.com/rss/world');return false;"
id="http://rss.news.yahoo.com/rss/world" class="nav"
href="javascript:">
World News </A>
</H1>
<H1 class="navFocus">
<A
onclick="getNav(this.id,
urls);getXml('http://rss.news.yahoo.com/rss/us');return false;"
id="http://rss.news.yahoo.com/rss/us" class="nav"
href="javascript:">
U.S. News </A>
</H1>

[etc.]
It isn't the original source code, but it generates the equivalent page.

Benjamin Niemann · May 29, 2007

Auch schon erledigt. Danke!

What has changed? I don't see a difference.
And even if - we could keep playing this game endlessly.
You have to realize that your approach suffers from the same fundamental
flaw as any other "IP protection": There is *no* way, your script could
reliably differenciate between legitimate and 'bad' requests. It only sees
a stream of incoming octets, which can be arbitrarily forged to mimic
a 'legitimate visitor'.

Ed Mullen · May 29, 2007

JWS said:
Just clicking file, save page as, web page complete (in Mozilla
Seamonkey) reveals the whole sorry mess. No cracking is involved.

Or also access the info via the browser cache (Mozilla, SeaMonkey, Firefox):

about:cache?device=disk
about:cache?device=memory

n0ctis · May 29, 2007

If it exists, it is obtainable. If the browser can read it, so can you.

Samuel van Laere · May 29, 2007

If anyone is able to crack this, I would appreciate the feedback.

I don't get it, under IE I use the Instant Source plugin and it displays the
source straight away.
So what is hidden??

Cheers,
Sam

dorayme · May 30, 2007

JWS said:
Just clicking file, save page as, web page complete (in Mozilla
Seamonkey) reveals the whole sorry mess. No cracking is involved.

And so too in Safari.

dorayme · May 30, 2007

Harlan Messinger said:
Firefox's DOM Inspector--from the context menu for the HTML element,
Copy XML to get the following on the Windows clipboard:

<HTML lang="en" dir="ltr" xml:lang="en"
xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<SCRIPT type="text/javascript" src="./js.js"/>
<TITLE>
Smart-CGI.com </TITL ...

etc

On FF 2.0.0.3 on Mac, this technique gets only this on the Mac
clipboard:

<HTML>
<HEAD>
<SCRIPT type="text/javascript" src="./js.js"/>
</HEAD>
<BODY/>
</HTML>

Neredbojias · May 30, 2007

Hiding HTML source code is possible.

No, it isn't. Try Flash or something like that. It may be possible to
hide that source code, but dunno fo' sure.

Compile to exe to hide source code	2	Mar 30, 2006
I'm tempted to quit out of frustration	1	Aug 13, 2023
JSTL & Source Code	3	Sep 15, 2005
Getting HTML source code from IFrame	1	Apr 13, 2006
need help with simple html problem	9	Nov 26, 2008
HTML or Dreamweaver?	49	Jun 1, 2006
Tabs versus Spaces in Source Code	135	May 15, 2006
Musatov claims "Mode/Code"	2	Oct 31, 2009

Hide HTML Source Code

ad

Benjamin Niemann

David Dorward

Jukka K. Korpela

El Kabong

David Dorward

El Kabong

ad

JWS

Jonathan N. Little

Benjamin Niemann

ad

Harlan Messinger

Benjamin Niemann

Ed Mullen

n0ctis

Samuel van Laere

dorayme

dorayme

Neredbojias

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads