Does anyone know if there is a way to disable HTML source viewing in Internet Explorer? I figured out a way to do it in Netscape that can't be broken even if JavaScript is turned off, but Internet Explorer brings up a Notepad window and shows the source.

Thanks.

Originally posted by cyberman29
I figured out a way to do it in Netscape that can't be broken even if JavaScript is turned off

Yeah sure... :rolleyes:

...yes would you care to test us on that?

And even if you could hide it in netscape, somone would only have to go to their web cache and open the html file and it would be there. or just click "save as", or...

oh i cant be bothered: it can't be done.

I have a hot tip. If you use MS F*ckPage you can at least be sure your code isn't useable to someone else. Sort of takes the incentive away. :D

I'll tell you how I did it in Netscape. The key, after several hours of trial and error, is anything that occurs between the following tags:

<SCRIPT LANGUAGE="JavaScript">

(Rest of code goes here)

</SCRIPT>

This code must be placed within the HEAD section of your page and will not show on a Netscape "View Source" request. What I did was take the HTML code and use a JavaScript maker which converts the entire page into a Java function (.js file) which can be called by using a link or reference that points to "javascript:functionname()". This must occur after the code that calls the script file.

Example:
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="http://www.yoursite.com/yourjavafunction.js"></SCRIPT>
</HEAD>

<BODY>
<a href="javascript:yourjavafunction()">Click here t continue</a>
</BODY>

The HEAD section calls the original HTML page that has been converted to JavaScript and the BODY section executes it. What shows in the "View Source" is the code of the page that is executing the JavaScript. Also, if you use HTML and <SCRIPT> tags in the same document, only the code not enclosed with <SCRIPT> tags will show, but remember to put the <SCRIPT> tags and code you want hidden in the HEAD section.

Try going to this website in Netscape: http://www.shawnwilson.freeservers.com/weblogin2e.html

Once there, view the source code. After that, just enter any characters into the login and password boxes and then click the "Login!" button. Try to view the source code now. although you will see a page simply stating a bad login was entered, you will not see the page's original source code. You should see the source code from the login page instead, or you may just see the code that calls the page (.js file) showing a bad login from the login page. Turning off JavaScript will not allow you to view the "bad login" source code since the page is being executed as javascript function. If a correct login was entered, the page accesses would also not be viewable. I used the same method, and I used JavaScript to mask all of the links on the page so that a user wouldn't be able to hold their pointer over the links and see the exact location of files the links point to. These were also converted from HTML to a JavaScript (.js file) file so that turning off JavaScript wouldn't allow them to be viewed.

As for Internet Explorer, I am still working on this one. It doesn't seem that I have been able to defeat Microsoft's "view source" yet.

When can we expect the Lynx version? :p

I still have to figure out how to defeat Internet Explorer. IE won't display the <SCRIPT> coding in the HEAD section of pages, but it will show code executed by a Javascript function, such as the method I used to defeat Netscape. IE opens Notepad and show the code there. I am assuming that IE is deconverting the JavaScript back to the original HTML during the view source process. The JavaScript maker program that allowed me to do this in Netscape can be found at: http://www.byte-sizesoftware.com/ (JavaScript Maker 2.7). It got 5-star reviews and the developer states that it will convert any HTML code to JavaScript without any run-time errors or other problems that can occur with writing JavaScript. All you have to do is supply the source HTML file name and the program will create the .js file for you and give you the code you need for your HTML page that will call and run the .js file. I have used many HTML pages with it, and I have never had any errors. You will need to register it if you plan to keep it more than 20 days, but the fee is only $5, a great deal for all the power it has.

And what exactly is keeping us from looking at http://www.shawnwilson.freeservers.com/weblogin_2e.js ?

The method used works on a similar principle to how frames work. In frames, the main page calls each of the frame HTML files, but the main view source shows the HTML of the frames page loader unless you do a view frame souce from the particular frame you want to view source. With JavaScript, Netscape will not show the source of the JavaScript function called using the format javascript:functionname(). What it shows instead is the source of the page that calls the JavaScript function. If you typed the actual command in the address bar of netscape just as javascript:functionname() and pressed enter, the page would appear because the .js file has already been called by a <SCRIPT> tag in the HEAD section, but if you view the source code, you will not see it. Instead, you see the source of the page calling the .js file. To prove this in my example used in a previous post above (http://www.shawnwilson.freeservers.com/weblogin2e.html), you can hit the reload button from the bad login screen, and you would be taken back to the original login page because that is the source Netscape is caching. Netscape caches, in the view source request, any HTML code from an HTML file. Since the .js file is actually a JavaScript program that must be called by a <SCRIPT> tag, Netscape does not show the source. If it did, you would see the JavaScript commands the HTML was converted to by the JavaScript maker which would not reveal the original HTML source. Disabling JavaScript does not work, because the JavaScript function is a .js file program instead of HTML and will not work if JavaScript is not turned on. In addition, if you turn off JavaScript while on the page resulting from the .js file and try to view source, it still will not work because, as stated above, Netscape is caching the HTML that called the .js file and that HTML is what will show if you view source.

You are funny, cyberman. :D

Now what is it about your site that you feel you have to do all of this work to prevent people from stealing your code? I looked at your site and honestly, I didn't exactly feel the urge to steal your code.

Basically, since I am using a value hosting provider, and since I don't really have time to get into personal web servers, Perl language, and things of the sort, I have taken steps that will allow an alternative for access to what will be secure areas of my site. Along with this comes the need to make sure that people and/or hackers can't find ways around the types of security I will be using, or at least to make it somewhat more difficult to be able to hack those particular areas of the site. I am still working out some other details, but I decided to first work on the one thing that hackers usually start with before moving on to the rest. I figure if they can't view the source to deterine the locations of certain files, then they will have a very hard time hacking the site.

It's been said before, but here we go...

You can't hide your source. Even if you try, someone who knows what they are doing will be able to find it. In order for a browser to read the page, the source must be available somewhere, and thus, the hacker only needs to find out where that is...

Originally posted by cyberman29
I have taken steps that will allow an alternative for access to what will be secure areas of my site.Except for the fact that it won't be secure. :(

Originally posted by cyberman29

Try going to this website in Netscape: http://www.shawnwilson.freeservers.com/weblogin2e.html

Once there, view the source code. After that, just enter any characters into the login and password boxes and then click the "Login!" button. Try to view the source code now. although you will see a page simply stating a bad login was entered, you will not see the page's original source code. You should see the source code from the login page instead, or you may just see the code that calls the page (.js file) showing a bad login from the login page. Turning off JavaScript will not allow you to view the "bad login" source code since the page is being executed as javascript function.


I'm sorry if this breaks your spirit but I get this when I view source (JS on and off) in mozilla 1.1 (aka Netscape 7+)

It sure looks like the code is the same as the page I'm looking at.

<base HREF="http://shawnwilson.freeservers.com/bkpage1/">
<!--"@(#):InvalidUser.html 11.4 06/30/99"-->
<html><head>
<title>Invalid Username and Password</title>
</head>
<center>
<body BGCOLOR='99ccff' TEXT='black'>
<h1 ALIGN=center>Invalid Login Submitted</h1>
<h2>Please login</h2>
<form ACTION="/cgi-bin/cgiemail" METHOD="post">
<input TYPE="hidden" NAME="cgiemail_html" VALUE="/weblogin2e.html">
<input TYPE="hidden" NAME="cgiemail_error" VALUE="/weblogin2e.html">
<input TYPE="hidden" NAME="cgiemail_username" VALUE="playgames@shawnwilson.freeservers.com">
<input TYPE="hidden" NAME="cgiemail_subject" VALUE="Invalid Login">

<input TYPE="hidden" NAME="cgiemail_timezone" VALUE="US/Eastern">
<input TYPE="hidden" NAME="cgiemail_timeformat" VALUE="%A, %B %e, %Y %T">
<input TYPE=submit VALUE="Return to the login page">
</form>
<br> <br> <br> <br> <br>
</address>
</center>
</body>
</html>


For the record here is what I get when look at the original login page (which is clearly different)

<html>
<head>
<script language="JavaScript" SRC="http://www.shawnwilson.freeservers.com/weblogin_2e.js"></script>
</head>
<body>
<script language="JavaScript">
<!--//
weblogin_2e();
//-->
</script>
</body>
</html>
<script><!--
var jv=1.0;
//--></script>
<script language=Javascript1.1><!--
jv=1.1;
//--></script>
<script language=Javascript1.2><!--
jv=1.2;
//--></script>
<script language=Javascript1.3><!--
jv=1.3;
//--></script>

<script language=Javascript1.4><!--
jv=1.4;
//--></script>
<script><!--
function SiteStats_9332(){
var t=new Date();
var o='o='+t.getTimezoneOffset()+';';
t=t.getTime();
var isNN4=(document.layers)?true:false;
var isCSS=(document.all)?true:false;
var t='t='+t+';';
var b='b='+(isCSS?(document.body.clientWidth+'x'+document.body.clientHeight)
:isNN4?(innerWidth+'x'+innerHeight):'')+';';
var s='s='+(isCSS||isNN4?(screen.width+'x'+screen.height):'')+';';
var c='c='+(isCSS||isNN4?screen.colorDepth :'')+';';
var j='j='+jv+';'
var p='p='+escape(location.href)+';';
var r='r='+escape(document.referrer)+';';
var u='http://www.shawnwilson.freeservers.com/cgi-bin/sitestats.gif?'+t+b+s+c+j+o+p+r;
var I=new Image(1,1); I.src=u;
var f='var e=new Date();e=e.getTime();var I=new Image(1,1);I.src="'+u+'e="+e+";";';
window.onunload=new Function(f);
setTimeout('alive_9332("'+u+'")',0x249F0);
}
function alive_9332(u){
var e=new Date();var I=new Image(1,1); I.src=u+'alive=1;t='+e.getTime(); setTimeout('alive_9332("'+u+'")',0x249F0);
}
SiteStats_9332();
//--></script><noscript><img src=http://www.shawnwilson.freeservers.com/cgi-bin/sitestats.gif?p=
http%3A%2F%2Fwww.shawnwilson.freeservers.com%2Fweblogin2e.html;r=-; width=1 height=1></noscript>

Reponse to pyro:
In order for the source code to be found, a hacker would first have to download the JavaScript program (.js file) and try to disassemble it to determine the original HTML source code that was used to compile the program. The problem the hacker will run into in this situation is that my site has the ability to disable remote loading of files other then those with a .HTML or .HTM extension. If I turn on that feature, any files with extensions other than .HTML and .HTM cannot be downloaded. Even if they try to use a download manager such as RealDownload which allows you to enter the exact path of the file, they will get an Access Denied error.

Response to Stefan:
It appears that Netscape 7 is using technology similar to Internet Explorer. I do not have the 6+ or 7+ versions of Netscape, but the testing I have done is based on Netscape 4.8 and below, but this tells me that if I can solve the problem for Internet Explorer, then it should also be solved for Netscape 6+ and 7+.

Originally posted by cyberman29
Response to Stefan:
It appears that Netscape 7 is using technology similar to Internet Explorer. I do not have the 6+ or 7+ versions of Netscape, but the testing I have done is based on Netscape 4.8 and below, but this tells me that if I can solve the problem for Internet Explorer, then it should also be solved for Netscape 6+ and 7+. [/B]

Even if you can solve it for IE, NS 6+ have a lot less securitybugs you can take advantage of.
In short we are back to "don't bother, it an't be done anyway".

cyberman29
In order for the source code to be found, a hacker would first have to download the JavaScript program (.js file) and try to disassemble it to determine the original HTML source code that was used to compile the program.
You make it sound like this is supposed to be a difficult task. It isn't. A JavaScript file is plain text, not compiled machine code.

cyberman29
The problem the hacker will run into in this situation is that my site has the ability to disable remote loading of files other then those with a .HTML or .HTM extension. If I turn on that feature, any files with extensions other than .HTML and .HTM cannot be downloaded.Even if they try to use a download manager such as RealDownload which allows you to enter the exact path of the file, they will get an Access Denied error.
The browser needs to retrieve the external js file also so it can execute it. If you disallow the js to be downloaded then the page won't be able to render, which defeats the purpose of creating a page.

So you cannot stop the user from viewing your js file and therefore cannot stop them from viewing your source. End of story.

Yes, the browser does have to have JavaScript turned on to render the page, but in order to extract any code from the JavaScript file, a hacker would have to download the file to their computer and use a text editor to look at it. If I disable the ability to remotely download files other than HTML files to their computer, they can't extract the source, because the text editors only work on local files and not files posted on the internet. The ability to disable remote file loading on my site prevents files from being retrieved in any form unless they are called from a HTML page stored on my site. As stated before, Netscape 4.8 and below isn't showing the source because the JavaScript is compiled into a program, and so only the HTML file calling the program shows. The only way they can crack the source code in these versions of netscape is to download the JavaScript file to their local machine which, once disabled, would deny access to do that.

cyberman29
but in order to extract any code from the JavaScript file, a hacker would have to download the file to their computer
If they've been to the page then the JavaScript file is already on their computer. And if access to the file is restricted then the browser won't be able to get to it either, meaning the JavaScript can't execute, meaning the user (any user) will get only a blank page.

Yeah, it doesn't matter if you have your site set to disallow downloading of non-html pages, because for you page to be rendered, the files will be stored in you temporary internet directory. There is no way to protect you source.

Originally posted by cyberman29
[B]Yes, the browser does have to have JavaScript turned on to render the page, but in order to extract any code from the JavaScript file, a hacker would have to download the file to their computer and use a text editor to look at it.


Apart from the flaws in this theory he others bring up, there is another even larger one.
People will NOT have to look at your JS file at all. They can just view your page with JS on, TURN OFF JS AFTER THE PAGE HAS LOADED, and then just do a viewsource indide the browser.
And voila, there is the source in plain HTML.

document.write ("password=password.toLowerCase();\r\n");
document.write ("if (username==\"5admin5\" && password==\"6admin6\") { window.location=\"javascri");
document.write ("pt:netgames2()\"; done=1; }\r\n");
document.write ("if (username==\"member2\" && password==\"password2\") { window.location=\"javascri");
document.write ("pt:invalidlogin2e()\"; done=1; }\r\n");
document.write ("if (username==\"member3\" && password==\"password3\") { window.location=\"javascri");
document.write ("pt:invalidlogin2e()\"; done=1; }\r\n");
document.write ("if (done==0) { location.href=\"javascri");


Sorry to bust your bubble....

Lines 30-37 of your source code, executed from Internet Explorer v5.5.


YOU CANNOT DO IT! blah..

You cannot hide any HTML or Javascript that is downloadable by the user, just make it difficult to access/understand.

Check out this encrypter for the latter:

http://www.dynamicdrive.com/dynamicindex9/encrypter.htm

If you enter "view-source:" before a URL some browsers will just display the target as a text file instead of rendering it - allowing your users to view any HTML or JS file they know the URL of.

There are copyright laws to deal with people who steal your code, but no effective security measures.

Adam

I don't think you can possibly hide your source code - goes against the way http and html works. But you could try the old ruse of putting a page full of line breaks into the top of your source code, before the <head> tag (in WordPad or whatever) - so that your source code only appears below the fold. Beginners probably wouldn't twig and non-beginners probably wouldn't need to pinch your code anyway.

In Netscape 4.x you can change the color of the text when the do View > Source. It will appear hidden except for the text in purple.

<script type="text/JavaScript">
<!--
</xmp>
<font color="silver">
<xmp>
//-->
</script>
<html>
...

Of course, the user can just highlight everything to see the hidden source.