dcsimg
www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: Disabling the ability to view HTML source code

  1. #1
    Join Date
    Feb 2003
    Posts
    9

    Disabling the ability to view HTML source code

    Does anyone know if there is a way to disable HTML source viewing in Internet Explorer? I figured out a way to do it in Netscape that can't be broken even if JavaScript is turned off, but Internet Explorer brings up a Notepad window and shows the source.

    Thanks.

  2. #2
    Join Date
    Nov 2002
    Posts
    984

    Re: Disabling the ability to view HTML source code

    Originally posted by cyberman29
    I figured out a way to do it in Netscape that can't be broken even if JavaScript is turned off
    Yeah sure...

  3. #3
    Join Date
    Nov 2002
    Posts
    411

    Talking

    ...yes would you care to test us on that?

    And even if you could hide it in netscape, somone would only have to go to their web cache and open the html file and it would be there. or just click "save as", or...

    oh i cant be bothered: it can't be done.

  4. #4
    Join Date
    Jan 2003
    Posts
    136
    I have a hot tip. If you use MS F*ckPage you can at least be sure your code isn't useable to someone else. Sort of takes the incentive away.

  5. #5
    Join Date
    Feb 2003
    Posts
    9
    I'll tell you how I did it in Netscape. The key, after several hours of trial and error, is anything that occurs between the following tags:

    <SCRIPT LANGUAGE="JavaScript">

    (Rest of code goes here)

    </SCRIPT>

    This code must be placed within the HEAD section of your page and will not show on a Netscape "View Source" request. What I did was take the HTML code and use a JavaScript maker which converts the entire page into a Java function (.js file) which can be called by using a link or reference that points to "javascript:functionname()". This must occur after the code that calls the script file.

    Example:
    <HEAD>
    <SCRIPT LANGUAGE="JavaScript" SRC="http://www.yoursite.com/yourjavafunction.js"></SCRIPT>
    </HEAD>

    <BODY>
    <a href="javascript:yourjavafunction()">Click here t continue</a>
    </BODY>

    The HEAD section calls the original HTML page that has been converted to JavaScript and the BODY section executes it. What shows in the "View Source" is the code of the page that is executing the JavaScript. Also, if you use HTML and <SCRIPT> tags in the same document, only the code not enclosed with <SCRIPT> tags will show, but remember to put the <SCRIPT> tags and code you want hidden in the HEAD section.

    Try going to this website in Netscape: http://www.shawnwilson.freeservers.com/weblogin2e.html

    Once there, view the source code. After that, just enter any characters into the login and password boxes and then click the "Login!" button. Try to view the source code now. although you will see a page simply stating a bad login was entered, you will not see the page's original source code. You should see the source code from the login page instead, or you may just see the code that calls the page (.js file) showing a bad login from the login page. Turning off JavaScript will not allow you to view the "bad login" source code since the page is being executed as javascript function. If a correct login was entered, the page accesses would also not be viewable. I used the same method, and I used JavaScript to mask all of the links on the page so that a user wouldn't be able to hold their pointer over the links and see the exact location of files the links point to. These were also converted from HTML to a JavaScript (.js file) file so that turning off JavaScript wouldn't allow them to be viewed.

    As for Internet Explorer, I am still working on this one. It doesn't seem that I have been able to defeat Microsoft's "view source" yet.

  6. #6
    Join Date
    Jan 2003
    Posts
    136
    When can we expect the Lynx version?

  7. #7
    Join Date
    Feb 2003
    Posts
    9
    I still have to figure out how to defeat Internet Explorer. IE won't display the <SCRIPT> coding in the HEAD section of pages, but it will show code executed by a Javascript function, such as the method I used to defeat Netscape. IE opens Notepad and show the code there. I am assuming that IE is deconverting the JavaScript back to the original HTML during the view source process. The JavaScript maker program that allowed me to do this in Netscape can be found at: http://www.byte-sizesoftware.com/ (JavaScript Maker 2.7). It got 5-star reviews and the developer states that it will convert any HTML code to JavaScript without any run-time errors or other problems that can occur with writing JavaScript. All you have to do is supply the source HTML file name and the program will create the .js file for you and give you the code you need for your HTML page that will call and run the .js file. I have used many HTML pages with it, and I have never had any errors. You will need to register it if you plan to keep it more than 20 days, but the fee is only $5, a great deal for all the power it has.

  8. #8
    Join Date
    Nov 2002
    Location
    NY, USA
    Posts
    731
    And what exactly is keeping us from looking at http://www.shawnwilson.freeservers.com/weblogin_2e.js ?

  9. #9
    Join Date
    Feb 2003
    Posts
    9
    The method used works on a similar principle to how frames work. In frames, the main page calls each of the frame HTML files, but the main view source shows the HTML of the frames page loader unless you do a view frame souce from the particular frame you want to view source. With JavaScript, Netscape will not show the source of the JavaScript function called using the format javascript:functionname(). What it shows instead is the source of the page that calls the JavaScript function. If you typed the actual command in the address bar of netscape just as javascript:functionname() and pressed enter, the page would appear because the .js file has already been called by a <SCRIPT> tag in the HEAD section, but if you view the source code, you will not see it. Instead, you see the source of the page calling the .js file. To prove this in my example used in a previous post above (http://www.shawnwilson.freeservers.com/weblogin2e.html), you can hit the reload button from the bad login screen, and you would be taken back to the original login page because that is the source Netscape is caching. Netscape caches, in the view source request, any HTML code from an HTML file. Since the .js file is actually a JavaScript program that must be called by a <SCRIPT> tag, Netscape does not show the source. If it did, you would see the JavaScript commands the HTML was converted to by the JavaScript maker which would not reveal the original HTML source. Disabling JavaScript does not work, because the JavaScript function is a .js file program instead of HTML and will not work if JavaScript is not turned on. In addition, if you turn off JavaScript while on the page resulting from the .js file and try to view source, it still will not work because, as stated above, Netscape is caching the HTML that called the .js file and that HTML is what will show if you view source.

  10. #10
    Join Date
    Jan 2003
    Posts
    136
    You are funny, cyberman.

  11. #11
    Join Date
    Nov 2002
    Posts
    2,632
    Now what is it about your site that you feel you have to do all of this work to prevent people from stealing your code? I looked at your site and honestly, I didn't exactly feel the urge to steal your code.

  12. #12
    Join Date
    Feb 2003
    Posts
    9
    Basically, since I am using a value hosting provider, and since I don't really have time to get into personal web servers, Perl language, and things of the sort, I have taken steps that will allow an alternative for access to what will be secure areas of my site. Along with this comes the need to make sure that people and/or hackers can't find ways around the types of security I will be using, or at least to make it somewhat more difficult to be able to hack those particular areas of the site. I am still working out some other details, but I decided to first work on the one thing that hackers usually start with before moving on to the rest. I figure if they can't view the source to deterine the locations of certain files, then they will have a very hard time hacking the site.

  13. #13
    Join Date
    Dec 2002
    Location
    High on life
    Posts
    10,104
    It's been said before, but here we go...

    You can't hide your source. Even if you try, someone who knows what they are doing will be able to find it. In order for a browser to read the page, the source must be available somewhere, and thus, the hacker only needs to find out where that is...

    Originally posted by cyberman29
    I have taken steps that will allow an alternative for access to what will be secure areas of my site.
    Except for the fact that it won't be secure.

  14. #14
    Join Date
    Nov 2002
    Posts
    984
    Originally posted by cyberman29

    Try going to this website in Netscape: http://www.shawnwilson.freeservers.com/weblogin2e.html

    Once there, view the source code. After that, just enter any characters into the login and password boxes and then click the "Login!" button. Try to view the source code now. although you will see a page simply stating a bad login was entered, you will not see the page's original source code. You should see the source code from the login page instead, or you may just see the code that calls the page (.js file) showing a bad login from the login page. Turning off JavaScript will not allow you to view the "bad login" source code since the page is being executed as javascript function.

    I'm sorry if this breaks your spirit but I get this when I view source (JS on and off) in mozilla 1.1 (aka Netscape 7+)

    It sure looks like the code is the same as the page I'm looking at.

    <base HREF="http://shawnwilson.freeservers.com/bkpage1/">
    <!--"@(#):InvalidUser.html 11.4 06/30/99"-->
    <html><head>
    <title>Invalid Username and Password</title>
    </head>
    <center>
    <body BGCOLOR='99ccff' TEXT='black'>
    <h1 ALIGN=center>Invalid Login Submitted</h1>
    <h2>Please login</h2>
    <form ACTION="/cgi-bin/cgiemail" METHOD="post">
    <input TYPE="hidden" NAME="cgiemail_html" VALUE="/weblogin2e.html">
    <input TYPE="hidden" NAME="cgiemail_error" VALUE="/weblogin2e.html">
    <input TYPE="hidden" NAME="cgiemail_username" VALUE="playgames@shawnwilson.freeservers.com">
    <input TYPE="hidden" NAME="cgiemail_subject" VALUE="Invalid Login">

    <input TYPE="hidden" NAME="cgiemail_timezone" VALUE="US/Eastern">
    <input TYPE="hidden" NAME="cgiemail_timeformat" VALUE="%A, %B %e, %Y %T">
    <input TYPE=submit VALUE="Return to the login page">
    </form>
    <br> <br> <br> <br> <br>
    </address>
    </center>
    </body>
    </html>


    For the record here is what I get when look at the original login page (which is clearly different)

    <html>
    <head>
    <script language="JavaScript" SRC="http://www.shawnwilson.freeservers.com/weblogin_2e.js"></script>
    </head>
    <body>
    <script language="JavaScript">
    <!--//
    weblogin_2e();
    //-->
    </script>
    </body>
    </html>
    <script><!--
    var jv=1.0;
    //--></script>
    <script language=Javascript1.1><!--
    jv=1.1;
    //--></script>
    <script language=Javascript1.2><!--
    jv=1.2;
    //--></script>
    <script language=Javascript1.3><!--
    jv=1.3;
    //--></script>

    <script language=Javascript1.4><!--
    jv=1.4;
    //--></script>
    <script><!--
    function SiteStats_9332(){
    var t=new Date();
    var o='o='+t.getTimezoneOffset()+';';
    t=t.getTime();
    var isNN4=(document.layers)?true:false;
    var isCSS=(document.all)?true:false;
    var t='t='+t+';';
    var b='b='+(isCSS?(document.body.clientWidth+'x'+document.body.clientHeight)
    :isNN4?(innerWidth+'x'+innerHeight):'')+';';
    var s='s='+(isCSS||isNN4?(screen.width+'x'+screen.height):'')+';';
    var c='c='+(isCSS||isNN4?screen.colorDepth :'')+';';
    var j='j='+jv+';'
    var p='p='+escape(location.href)+';';
    var r='r='+escape(document.referrer)+';';
    var u='http://www.shawnwilson.freeservers.com/cgi-bin/sitestats.gif?'+t+b+s+c+j+o+p+r;
    var I=new Image(1,1); I.src=u;
    var f='var e=new Date();e=e.getTime();var I=new Image(1,1);I.src="'+u+'e="+e+";";';
    window.onunload=new Function(f);
    setTimeout('alive_9332("'+u+'")',0x249F0);
    }
    function alive_9332(u){
    var e=new Date();var I=new Image(1,1); I.src=u+'alive=1;t='+e.getTime(); setTimeout('alive_9332("'+u+'")',0x249F0);
    }
    SiteStats_9332();
    //--></script><noscript><img src=http://www.shawnwilson.freeservers.com/cgi-bin/sitestats.gif?p=
    http%3A%2F%2Fwww.shawnwilson.freeservers.com%2Fweblogin2e.html;r=-; width=1 height=1></noscript>
    Last edited by Stefan; 02-03-2003 at 03:18 AM.

  15. #15
    Join Date
    Feb 2003
    Posts
    9
    Reponse to pyro:
    In order for the source code to be found, a hacker would first have to download the JavaScript program (.js file) and try to disassemble it to determine the original HTML source code that was used to compile the program. The problem the hacker will run into in this situation is that my site has the ability to disable remote loading of files other then those with a .HTML or .HTM extension. If I turn on that feature, any files with extensions other than .HTML and .HTM cannot be downloaded. Even if they try to use a download manager such as RealDownload which allows you to enter the exact path of the file, they will get an Access Denied error.

    Response to Stefan:
    It appears that Netscape 7 is using technology similar to Internet Explorer. I do not have the 6+ or 7+ versions of Netscape, but the testing I have done is based on Netscape 4.8 and below, but this tells me that if I can solve the problem for Internet Explorer, then it should also be solved for Netscape 6+ and 7+.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles