I have tested this item ✅ successfully on 351eb10

Works fine - thank you :)

This PR has received new commits.

CC: @yvesh

@dgt41 wouldn't that be a good moment to switch to something better then random(1, 100000); ?

There is a chance (even when it is low) that, when there are many emails on one page that you get the same id and run into troubles or leak the email.

Better would be something like with uniqid(rand()) or openssl random for example.

@yvesh good idea, which one shall we use here? also md5(the email addy) will work I think

Don't explicitly couple it to openssl. If you're worried about cryptographically secure randomness, use random_int() (already available to us because we have the random_compat polyfill). If you're not worried about it being cryptographically secure, either rand() or mt_rand() should be more than enough.

The main thing it looks like you're trying to avoid is duplicating use of an ID, there's no way around that by changing the random number generator; you'd still need a static state somewhere saying "yes this number has already been used".

uniqid(rand()) should be more then unique enough (not even sure if rand() is neceassary, this is only needed when something is generated at the same microsecond).

As an alternative you could use JUserHelper::genRandomPassword(10);

This PR has received new commits.

CC: @yvesh

How about: // Random hash
$rand = md5($mail . rand(1, 100000));

That'd definitely eliminate the need to track which numbers are in use.

There is that one in a billion chance, that the same mail is printed multiple times on the page and the random number is the same. But the solution should be sufficient.

Hopefully md5 sums will be never so weak (or rainbow tables get that large), that even email addresses are cracked in seconds. ;)

You're not trying to cryptographically secure the addresses though. It's really just making it more troublesome for bots to scrape them off the generated HTML page. IMO it'd be better to use a different seed than the address you're trying to obfuscate, but in the long run all you're doing is inconveniencing some script kiddies crawling generated HTML.

Reverse engineering open source code is a bit easier as you get to see the source code for free

I have tested this item ✅ successfully on 7b2bb6e

Works still fine - thank you @dgt41

This PR has received new commits.

CC: @yvesh

I have tested this item ✅ successfully on 2df0786

Still working

Is this working in an ajax context ? (with injection in dom and js execution) ? unable to give it a try actually ...
EDIT: this is not B/C, in an ajax context if you pick "content" actually you expect the inline JS with it... now its in head

@Devportobello I guess we can still inject the script in the caller window with some magic to cover this case. can you point me to a module with an ajax call so I can provide the code needed?

@Devportobello actually the script will not run if passed as data in the ajax call, so no B/C break here:
http://stackoverflow.com/questions/4619668/executing-script-inside-div-retrieved-by-ajax

@dgt41 you can execute JS with parseHTML : http://api.jquery.com/jQuery.parseHTML/

// call ajax then in done function with response as arg:
$('<div>').append( $.parseHTML( response, document, true ) ).find( '.item-page' );

@Devportobello can you share a url used in the ajax call (I have an idea) ?

@dgt41 sended by mail to you

This PR has received new commits.

CC: @yvesh

@Devportobello does my last commit cover the ajax part?

@dgt41 Nice try :), but in my case, i dont use "com_ajax" and i got 1 another custom tmpl "content", hmm diffcult to cover an ajax context, maybe with header

X-Requested-With : XMLHttpRequest

This PR has received new commits.

CC: @yvesh

Sound good, will give a try when enough time

This PR has received new commits.

CC: @yvesh

I have tested this item ✅ successfully on 863a9f2

I have tested it successfully
After giving value "False" to javascript.enabled in FireFox 47.0.1 getting message "This email address is being protected from spambots. You need JavaScript enabled to view it."
Test in Joomla Version: Joomla! 3.6.0-rc Release Candidate [ Noether ] 28-June-2016 20:34 GMT

I have tested this item ✅ successfully on 863a9f2

Tested in Joomla! 3.6.0-rc2 [Noether] 6-July-2016 22:26 CET

Yes, the default functionality to show message works fine after applying patch but what about content updated by AJAX call? Give me example code to check. How can I check AJAX response disabling JavaScript?

Just tested rapidly, seem not working on ajax context...
Here is a module to test this PR: https://github.com/Devportobello/joomla-attach-PR-11027

I have tested this item ? unsuccessfully on 863a9f2

Using AJAX to update content with email address in content seems not working. Shows message "This email address is being protected from spambots. You need JavaScript enabled to view it.", though JavaScript enabled.

I have tested this item ? unsuccessfully on 863a9f2

Same thing is happening after apply patch and before patch. Please more detail for testing.

This PR has received new commits.

CC: @AnishaTailored, @hardiktailored, @killoltailored, @rahultomar, @yvesh

This PR has received new commits.

CC: @AnishaTailored, @hardiktailored, @killoltailored, @rahultomar, @yvesh

This PR has received new commits.

CC: @yvesh

I have tested this item ✅ successfully on e95e923

Context update by AJAX having email address in it, works now. I tested with module provided by @Devportobello

Just noticed, there is no CS about inline JS in PHP ... http://joomla.github.io/coding-standards

I have tested this item ✅ successfully on e95e923

Work also in ajax context

RTC

@Devportobello I proposed to PLT to switch to this format

JFactory::getDocument()->addScriptDeclaration(
<<<JS
//Script goes here with " and ' not needing escape
// Drawback you can't put vars like $this->id needs to be $id
JS
);

But is a lot of work to convert every inline script...

This PR has received new commits.

CC: @yvesh

@joomla-cms-bot