Fun with Hiding Code!

[Mr Initial Man]

The following is an actual tutorial that I found on another forum, and I'm working out a rebuttal. I could use your help picking this idea apart.

i dont no if this is already in here so delete it if it is,

this will show you how to block your document source using -

html
frames
javascript

remember there are ways around it,

ok first make a page called page.html

HTML Code:

<html>

<head>
<title>Title</title>
</head>

<frameset rows="1,*" frameborder="0" framespacing="0">
<frame src="about:blank" name="frame2" noresize>
<frame src="realpage.html" name="frame1" noresize>
</frameset>

<body>
</body>

</html>

this makes it so if the user clicks 'View Source' or 'Document Source' etc, they will see frame code

now make the file named realpage.html (this is the file they will be viewing, it must contain the no right click script):

HTML Code:

<html>

<head>
<script language="JavaScript1.2" type="text/javascript">
// This script and others available free at http://www.lissaexplains.com
if (window.Event)
  document.captureEvents(Event.MOUSEUP);

function nocontextmenu() {
  event.cancelBubble = true, event.returnValue = false;

  return false;
} 

function norightclick(e) {
  if (window.Event) {
    if (e.which == 2 || e.which == 3) return false;
  }
  else if (event.button == 2 || event.button == 3) {
    event.cancelBubble = true, event.returnValue = false;
    return false;
  }
}

if (document.layers)
  document.captureEvents(Event.MOUSEDOWN);

document.oncontextmenu = nocontextmenu;
document.onmousedown = norightclick;
document.onmouseup = norightclick;
//--></script>
</head>

<body onload="if (top == self) { window.location='page.html'; }">

Blah Blah Blah

</body>

</html>

the

<body onload="if (top == self) { window.location='page.html'; }">

will redirect the realpage.html to page.html if there are no frames on the page

the no right click script will make sure if anyone right clicks in that frame on the page.html page it will block it

i hope this helps

Simply viewing the code, I know, will reveal what you want to get to. I've also heard of some javascript command you can type into your address bar to disable the javascript on that page.

But this guy says he can also do it via PHP. Anyone ever heard of that?

[HaganeNoKokoro]

You can't do it with php. There might be some sort of trick to prevent the page from being accessed directly (though nothing I can think of), and all the frames and no-right-click scripts in the world won't pretect you from Firefox with javascript disabled and the This Frame->View Source right-click menu.

[MstrBob]

He may be referring to redirecting your browser based on referers.

Look, it's uber simple to circumnavigate any anti-view source method. Because the fact is, if the browser doesn't receive the source then it can't do a damnable thing. If your browser gets the source, so can you the user, because you just downloaded it! Now, there is a very effective way of doing this.

(If you're on windows, click Start -> Run and type in 'cmd' if you're on Windows XP or 'command' for earlier windows. Basically we want to get the command prompt). Now say we want the source for say, page.html on example.com (example.com/page.html). We type:

Code:

telnet example.com 80

and then our HTTP request

Code:

GET /page.html HTTP/1.0

Hit enter twice. The server sends you the page's contents, and it's plaintext.

Now I've seen stupider designs, which send an encrypted page and use Javascript to decrypt them. Now there's a very easy way to overcome these. Mozilla Firefox has a tool called "DOM Inspector" in which you can view every current element in the document. For the browser to understand the JS encryption, it has to be decrypted and useable by the browser. The DOM Inspector shows the decrypted document. So, simply on the page you want click Tools -> DOM Inspector Highlight the HTML node, right click, and select "Copy XML". Now paste it wherever you want, this is the source of the document.

If frames are being used its always simple enough to find the real page.

[Stephen Philbin]

You should be fair though. I mean they will not have completely failed in their endeavour to hide the source. Ok, so they might have failed to prevent a human from getting it, but no search engine will ever index them, so that's at least a partial victory for their "security" efforts.

[MstrBob]

You should be fair though. I mean they will not have completely failed in their endeavour to hide the source. Ok, so they might have failed to prevent a human from getting it, but no search engine will ever index them, so that's at least a partial victory for their "security" efforts.

The encrypted ones, yes. I mainly did that because I've seen numerous "companies" selling "HTML Source Encryption". Bogus, each time I find a company, I send them the source code of their demonstration page and call them bogus. I'm doing my part for a free world.

[Stephen Philbin]

Why people try to hide what they make is beyond me. It's like a shop setting up and stacking all the shelves, then locking all the windows and doors in case someone tries to come in.

Goomers.

[rch10007]

try this: http://www.drpeterjones.com/hidden/hidden.php

No contest if you own FF, lol

[Mr Initial Man]

i cant totally block the source its impossible, but i can do this, my thing in the tutorial section gives more protection than just the original no righ click script, but then you can just disable javascript so that wont work, now the average person wont no what to do so that doesnt matter so if they want your source they will get it.... ok besides diisabled javascript you can use a site that fetches HTML, i made one, though i tryied to make it so it wouldnt work , the $_SERVER['PHP_SELF'] would equal the right thing because all php scripts are executed on the server, so therefore that method of checking wether the address was correct wont work

The latest PM I got from this guy

[Stephen Philbin]

The idiot can't even write standard text, let alone code. Unless of course

i can totally block the source its impossible

makes sense to everyone else and I'm just thick.

[rch10007]

1800+ post and you can't read programmers chicken scratch yet, shessssh




lol

[Mr Initial Man]

Oh, it's interesting. This guy's got a bit more practice before he becomes the forum's version of muneepenee, but he's well on his way.

[rch10007]

muneepenee - what a hoot!

[Zarel]

Mozilla Firefox has a tool called "DOM Inspector" in which you can view every current element in the document. For the browser to understand the JS encryption, it has to be decrypted and useable by the browser. The DOM Inspector shows the decrypted document. So, simply on the page you want click Tools -> DOM Inspector Highlight the HTML node, right click, and select "Copy XML". Now paste it wherever you want, this is the source of the document.

That reminds me... I can't seem to get DOM Inspector back...

I can't find it in the Tools menu, and reinstalling Firefox doesn't give me the option to install it, and it's not an extension...

(Nevermind, fixed)

[MstrBob]

That reminds me... I can't seem to get DOM Inspector back...

I can't find it in the Tools menu, and reinstalling Firefox doesn't give me the option to install it, and it's not an extension...

I haI lost the DOM Inspector as well, but that was back with a 0.9 version of Firefox. Unistalling firefox, and deleting the profile directory, and then reinstalling fixed it for me. The option to install DOM inspector was no longer disabled, so I checked it and off I went.

If that doesn't help, then I'd try searching the Firefox Support Forum and if that turns up nothing, try searching Bugzilla. If nothing helps you, you can always file it as a firefox bug.