Skip to content

Commit

Permalink
Avoid inline scripting for "javascript" email obfuscation method (sym…
Browse files Browse the repository at this point in the history
  • Loading branch information
ikedas committed Aug 25, 2024
1 parent a6b5c49 commit 30b929e
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 32 deletions.
70 changes: 38 additions & 32 deletions src/lib/Sympa/HTMLDecorator.pm
Original file line number Diff line number Diff line change
Expand Up @@ -267,47 +267,53 @@ sub decorate_email_concealed {
sub decorate_email_js {
my $self = shift;

my $text = '';
while (my $item = $self->_queue_shift) {
$text .= $item->{text};
}

if (index($text, '<') == 0) {
return _decorate_email_js($text);
}

my $decorated = '';
my $dtext = Sympa::Tools::Text::decode_html($text);
pos $dtext = 0;
while ($dtext =~ /\G((?:\n|.)*?)\b($email_like_re)\b/cg) {
$decorated .=
Sympa::Tools::Text::encode_html($1)
. _decorate_email_js(Sympa::Tools::Text::encode_html($2));
}
if (pos $dtext) {
return $decorated
. Sympa::Tools::Text::encode_html(substr $dtext, pos $dtext);
while (my $item = $self->_queue_shift) {
if ($item->{event} eq 'text') {
my $dtext = Sympa::Tools::Text::decode_html($item->{text});
pos $dtext = 0;
while ($dtext =~ m{\G(.*?)\b($email_like_re)\b}cg) {
$decorated .= Sympa::Tools::Text::encode_html($1)
. _decorate_email_js($2);
}
$decorated .=
Sympa::Tools::Text::encode_html(substr $dtext, pos $dtext);
} elsif ($item->{event} eq 'start'
and $item->{attr}
and 0 == index(lc($item->{attr}->{href} // ''), 'mailto:')) {
# Empties mailto URL in link target
my $text = $item->{text};
$text =~ s{(?<=\bhref=)([^\s>]+)}{
my $val = $1;
$val =~ s/\A['"\s]+//;
$val =~ s/['"\s]+\z//;
$val =~ s/\Amailto://i;
sprintf '"mailto:decoText" data-text="%s"',
_decorate_email_js_encode(
Sympa::Tools::Text::decode_html($val))
}egi;
$decorated .= $text;
} else {
$decorated .= $item->{text};
}
}

return $text;
return $decorated;
}

sub _decorate_email_js {
my $text = shift;

my @texts = map {
my $str = (defined $_) ? $_ : '';
$str =~ s/([\\\"])/\\$1/g;
$str =~ s/\r\n|\r|\n/\\n/g;
$str =~ s/\t/\\t/g;
$str;
return join '', map {
sprintf '<span class="decoText" data-text="%s">%s</span>',
_decorate_email_js_encode($_), '*' x length $_;
} split /\b|(?=\@)|(?<=\@)/, $text;
return
sprintf '<script type="text/javascript">' . "\n" . '<!--' . "\n"
. 'document.write(%s)' . "\n"
. '// -->' . "\n"
. '</script>',
join(" +\n", map { '"' . $_ . '"' } @texts);
}

sub _decorate_email_js_encode {
my $text = shift;

join ',', map { ord $_ } split //, $text;
}

1;
Expand Down
40 changes: 40 additions & 0 deletions www/js/sympa.js
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,46 @@ $(function(){
});
});

$(function() {
$('span.decoText').each(function(){
var elm = $(this);
try {
var chars = String(elm.data('text')).split(',').map(
function(val) {
if (isNaN(val)) {
throw new Error('Non-numeric data');
}
return val.toString(10);
}
);
elm.text(String.fromCharCode.apply(null, chars));
elm.attr('data-text', null);
} catch(e) {
return false;
}
return true;
});

$("a[href='mailto:decoText']").each(function(){
var elm = $(this);
try {
var chars = String(elm.data('text')).split(',').map(
function(val) {
if (isNaN(val)) {
throw new Error('Non-numeric data');
}
return val.toString(10);
}
);
elm.attr('href', 'mailto:' + String.fromCharCode.apply(null, chars));
elm.attr('data-text', null);
} catch(e) {
return false;
}
return true;
});
});

/* Align the scrollable calendar. */
$(function() {
$('.calendarLinksCurrentPage').each(function(){
Expand Down

0 comments on commit 30b929e

Please sign in to comment.