[#19089] - [4.0] email cloaking without inline script
- Fixed in Code Base
- 1 Apr 2018
- Medium
- Build: 4.0-dev
- # 19089
- Diff
- dgt41:§4.0-dev-email-cloaking
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
This PR is part of the series of PRs that try to eliminate the inline scripts from Joomla. (The reason is CSP, please watch @wilsonge 's video from JWC17...)
Summary of Changes
- We are using custom elements to keep this as simple as possible
- The B/C break should be minimal (only if devs were using the internals of the plugin or the JHTML lib), I hope this is ok
Testing Instructions
Edit an article and add email: something@somewhere.com
Navigate to the article and check if the email is visible.
Disable javascript and reload the page (email shouldn't be visible)
Go to Admin->plugins->Content - Email Cloaking and change the option Mode then revisit the article, the email shouldn't be a link
Set the editor to codemirror and edit the article popular articles from the sample data.
Replace the contents of the article with:
<p>Test</p>
toto@toto.com
<p>Another</p>
<a href="mailto:toto@toto.com?subject=Mysubject" class="myclass" >email</a>
<p>Another</p>
<a href="http://mce_host/ourdirectory/email@example.org">anytext</a>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com"><span style="font-style: 8pt;">Joe_fontsize8</span></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere13.com?subject= A text"><span style="font-size: 14pt;">Joe_subject_ fontsize13</span></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com"><strong>something</strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com"><strong>mymail@mysite.com</strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com"><strong><span style="font-size: 14px;">mymail@mysite.com</span></strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com"><strong><span style="font-size: 14px;">Joe Nobody</span></strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com?subject= A text"><strong><span style="font-size: 16px;">joe@nowhere.com</span></strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com?subject=Text"><img src="/images/joomla_black.png" alt=""/>joe@nowhere.com</a></p>
<p>Another</p>
<a href="http://mce_host/ourdirectory/email@example.org">email@example.org</a>
<p>Another</p>
<p><a href="mailto:joe@nowhere.com?subject= A text" class="class1 class2"><strong><span style="font-size: 16px;">joe@nowhere.com</span></strong></a></p>
<p>Another</p>
<p><a href="mailto:joe@nowhere13.com?subject= A text" class="class 1 class 2"><span style="font-size: 14pt;">Joe_subject_ fontsize13</span></a></p>
<p>Another</p>
<a href="mailto:toto@toto.com" class="myclass" >toto@toto.com</a>
<p>Another</p>
<a href="mailto:toto@toto.com" class="myclass" >Click Here</a>
<p> More Tests </p>
<p><a href="mailto:demo@demo.com"><span style="color: red;">Contattare l'associazione</span></a></p>
<div class="contact email"> </div>
<p><a href="mailto:demo@demo.com"><strong>Contattare l'associazione</strong></a></p>
<div class="contact email"> </div>
<div class="contact email"> </div>
<div class="contact email"> </div>
<div class="contact email"> ---------------------------------------</div>
<div class="contact email"><a href="mailto:info@testsite.com"><img style="margin: 0px 3px 0px 0px; float: left; width: 21px; height: 21px;" title="A nice title" src="images/powered_by.png" alt="A nice title" width="21" height="21" />info@testsite.com</a></div>
<div class="contact email"> </div>
<div class="contact email"><a href="mailto:info@testsite.com"><img src="images/powered_by.png" alt="" />info@testsite.com</a></div>
<div class="contact email"> </div>
<div><p>texte apres image</p></div>
<div class="contact email"><a href="mailto:info@testsite.com"><img style="margin: 0px 3px 0px 0px; float: left; width: 21px; height: 21px;" title="A nice title" src="images/powered_by.png" alt="A nice title" width="21" height="21" />texte'apresimage</a></div>
<div class="contact email"><a href="mailto:info@testsite.com?subject= A text"><img style="margin: 0px 3px 0px 0px; float: left; width: 21px; height: 21px;" title="A nice title" src="images/powered_by.png" alt="A nice title" width="21" height="21" />texte'apresimage+ sujet</a></div>
<div>
<p>Testing with <span something>some text</span></p>
<p><a href="mailto:joe@nowhere.com"><span style="font-size: 18pt;">Joe_fontsize18</span></a></p>
<p><a href="mailto:joe@nowhere13.com?subject= A text"><span style="font-size: 14pt;">Joe'_subject_ fontsize13</span></a></p>
<p>Testing with <span something>email_adress</span></p>
<p><a href="mailto:joe@nowhere14.com"><span style="font-style: 14pt;">joe@nowhere14.com</span></a></p>
<p>Testing with (+subject)<span something>email_adress</span></p>
<p><a href="mailto:joe@nowhere16.com?subject= A text"><span style="font-size: 16pt;">joe@nowhere16.com</span></a></p>
<p><a href="mailto:joe@nowhere.com"><span style="color: red;">joe@nowhere.com</span></a></p>
<p>Uniquement strong</p>
<p><a href="mailto:joe@nowhere.com"><strong>something</strong></a></p>
<p>Uniquement strong avec subject et mail</p>
<p><a href="mailto:joe@nowhere.com?subject= A text"><strong>joe@nowhere.com</strong></a></p>
<p>strong+spansomething+text</p>
<p><a href="mailto:joe@nobody.com"><strong><span style="font-size: 9px;">Joe' Nobody</span></strong></a></p>
<p>strong+spansomething+mail</p>
<p><a href="mailto:joe@nobody.com"><strong><span style="font-size: 14px;">mymail@mysite.com</span></strong></a></p>
</div>
<div> Test plus sign</div>
test@example.com
test+test@example.com
test+@example.com
+test@example.com
Check in the front end that article, with and without javascript enabled!
Expected result
All the possible cases as described in the tests:
Actual result
Documentation Changes Required
Yes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries JavaScript Front End Plugins |
@C-Lodder check @Fedik 's comment: #18843 (comment)
I was thinking about something similar
| Labels |
Added:
?
|
||
| Category | Libraries JavaScript Front End Plugins | ⇒ | JavaScript Repository Libraries Front End Plugins |
@C-Lodder can you test this one against some ajax created email addresses?
I just moved the code to custom elements so there is no need for an update event, browsers will sort this automatically. There is another thing tho the ajax needs to update the Joomla storage with the new values...
Here is what the bots will see:
This is after the js has been executed:
Good part: ajax inserted content will work without any extra line of code (use the platform for the win)
Sure, I'll test this tomorrow
Just wondering: Does it even make sense to cloak emails? Afaik Google runs JavaScript when they index the sites, so they will index the email addresses as well.
I guess spam bots in 2017 are running JS as well, but that's guessing without having any clue myself
Does anyone know?
@Bakual thats true
But we can still keep it hidden. Since now there is a custom element we can add a click event listener and on click will redirect to the mail app (href=“mailto:a@b.c). This way the dom never gets the actual email printed. And actually that’s the best we can do, but as you said this might already been outdated (you can have a bot with codeception that will beat the above scenario). Anyways people feel secure with such things although all these are security through obscurity, in other words crap
Looks good to me
please fix code style issues
I guess spam bots in 2017 are running JS as well
I think only a complex bots,
there still a lot of old and simple, most of them a dumb, like file_get_contents('http://blabla.com')
Ah crap, will test now
Tested and seem to work perfectly with content rendered via Ajax
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089.
please fix the CS issues and don't comment code just remove it
| Category | Libraries JavaScript Front End Plugins Repository | ⇒ | JavaScript Repository Libraries Front End Plugins Unit Tests |
| Labels |
Added:
?
|
||
@infograf768 can you please test this one?
I'll try and test tonight
branch out of date. will test later
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089.
I have tested this item
Unsuccessful for utf8 address mails and mail on Image.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089.
Here are the tests to do:
Test
<p>UTF8 mail<a href="mailto:joomlatest@xn----7sblgc4ag8bhcd.xn--p1ai"> joomlatest@джумла-тест.рф</a></p>
gives
Inspector displays address and wrong encoding for utf8
And on image
<p><a href="mailto:joomlatest@xn----7sblgc4ag8bhcd.xn--p1ai" rel="alternate"><img src="images/powered_by.png" alt="" /></a></p>
displays nothing
Inspector source
and with your example with image above
I also do not get the image
Note: I do see the images correctly when editing the article in front or back-end. Therefore it may not be related.
Correction: I understand these screenshots do not really show source as they are picked from Web Developper Inspector.
In source, the mail adress is obsfucated as should.
So the issues remaining are UTF8 display and Image display
Concerning the image, I'm afraid it is a Routing issue due to your PR... The article is displayed in a blog menu item.
An image not concerned by the email cloak displays OK.
@infograf768 I knew you'll find some bugs here that's the reason I've asked you test! Thanks, will patch things in a bit
@infograf768 now should be ok, both failing cases:
UTF8 display is corrected but not the path to image when we call it from a blog
Also, when there is a UTF8 subject, it is still garble.
I have tested this item
Ok now :)
Question: any way to also add test for utf8 mails ?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089.
Php tests or js tests?
Php tests or js tests?
No idea. Something in PlgContentEmailcloakTest.php I guess.
@infograf768 added two more tests for UTF-8, all tests pass now
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089.
@infograf768 can you please retest?
@franz-wohlkoenig he doesn't have to, the last commit was to fix the tests, didn't touch the rest of the code
| Status | Pending | ⇒ | Ready to Commit |
Ready to Commit after two successful tests.
| Labels |
Added:
?
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-04-01 20:23:29 |
| Closed_By | ⇒ | wilsonge |
@wilsonge why did you merge this with drone / unit tests failing? All Joomla 4 PR's are now failing.
@dgt41 The error looks like to come from this line https://github.com/joomla/joomla-cms/pull/19089/files#diff-a5e4a8ab7a94472482aa9109f381223fR61 as HTMLHelper::_('webcomponent' expects an string and not a array. Here is a PR but please take a look into that too: #20053
Seems good to me. Looking forward to the event listener for Ajax rendered content as I rely on this myself.