Skip to content

Commit

Permalink
Avoid inline scripting for "javascript" email obfuscation method (#1122)
Browse files Browse the repository at this point in the history
  • Loading branch information
ikedas committed Jan 15, 2023
1 parent 384da03 commit 3408d9e
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 12 deletions.
17 changes: 5 additions & 12 deletions src/lib/Sympa/HTMLDecorator.pm
Original file line number Diff line number Diff line change
Expand Up @@ -295,19 +295,12 @@ sub decorate_email_js {
sub _decorate_email_js {
my $text = shift;

my @texts = map {
my $str = (defined $_) ? $_ : '';
$str =~ s/([\\\"])/\\$1/g;
$str =~ s/\r\n|\r|\n/\\n/g;
$str =~ s/\t/\\t/g;
$str;
return join '', map {
my @chars = split //, $_;
sprintf '<span class="decoText" data-text="%s">%s</span>',
join(',', map { ord $_ } @chars),
'*' x scalar @chars;
} split /\b|(?=\@)|(?<=\@)/, $text;
return
sprintf '<script type="text/javascript">' . "\n" . '<!--' . "\n"
. 'document.write(%s)' . "\n"
. '// -->' . "\n"
. '</script>',
join(" +\n", map { '"' . $_ . '"' } @texts);
}

1;
Expand Down
20 changes: 20 additions & 0 deletions www/js/sympa.js
Original file line number Diff line number Diff line change
Expand Up @@ -315,3 +315,23 @@ $(function() {
});
});

$(function() {
$('span.decoText').each(function(){
var elm = $(this);
try {
var chars = String(elm.data('text')).split(',').map(
function(val) {
if (isNaN(val)) {
throw new Error('Non-numeric data');
}
return val.toString(10);
}
);
elm.text(String.fromCharCode.apply(null, chars));
} catch(e) {
return false;
}
return true;
});
});

0 comments on commit 3408d9e

Please sign in to comment.