Email Obfuscation Ad-on Development, was: [Pmwiki-users] Intercepting $_POST['text']

Steven Leite steven_leite
Fri May 7 20:45:59 CDT 2004


> For example, something like:
> $LinkPatterns[190]["/\\bmailto:($UrlPathPattern)/e"] =
'Obfuscate("$1");';
> function Obfuscate($email) {
>    return "email: " . str_replace('@',' at ',str_replace('.',' dot
',$email));
>}
>
> leaves the original text untouched, but changes the way it displays.

> Why change the input instead of the output?

Because (as was pointed out to me by Pm), when the spam bot clicks on
the "Edit This Page" link, it finds the email address in the <textarea>
field of the Edit Box.

What I'm planning on doing is changing the input (yes, changing the
original text), so that it reads something like:

.. Jack and Jill went up the Hill.  You can leave a message with Jack.
His email address is [[hidden email:ddaE!adHGJTdjad.j3.3ia]].  You can
also contact Jill at her email.  It's [[hidden email: Dsdkja#d9dfjka]].

When a user first inputs the email in a form recognized by PmWiki, the
add-on will search for email addresses, and change them accordingly.

When somebody browses the page, the add-on will detect the [[hidden
email: ???] directive, and deocode it to back to the original email.
We're not done yet.  To avoid spam bot's picking up the email on the
browsed page, the add-on will use a simple javascript to obfuscate the
email address when the page is viewed, but users clicking on the mailto:
link will still be able to send the person email.

There's one further thought .. some people may not like the fact that
this script is changing the input.  Eg.  Somebody enters their email
address as [[mailto:me at mydomain.com]] .. saves the page.  Then clicks
the edit page link, and see's it's been changed to [[hidden
email:342sd#$fj894]].

Another approach (idea credit also goes to Pm for this one) is to
introduce a new format for the [[mailto:]] directive which recognizes a
user's Profile.  Since we don't yet have secure Profile pages, I thought
a combination of these two methods might work (as follows):

User enter his email address like this in the Wiki Text:
[[mailto:{{StevenLeite}}]].

The add-on would recognize that there is a WikiWord in the field.  It
would then check the Profiles/{{StevenLeite}} WikiPage to see if it
exists.  If the exists it's searched for the previously mentioned
directive ( [[hidden email: #dju39472l]] ).  It converts it, does the
obfuscation, and then replace the [[mailto:{{StevenLeite}}]] stuff with
the obfuscated address.

The second method doesn't change the Wiki text at all.  But the
downside(s) are that
1) User has to know about the email obfuscation add-on to use it
2) they have to know how to use it
3) they have to enter their info on a profile page

Personally, I would find that fairly cumbersome, but if it meant being
able to put my email address on a website without worrying too much
about spam bot's picking it up, and if I was a frequent user of the wiki
(site), then I suppose I might take the extra few minutes to set it all
up.

On the other hand, I personally feel responsible for my "user base" ..
and as such, I would like to take measures to protect any email address
found on my wiki site, whether the user realizes it or not.  I think
replacing the input with a simple [[hidden email: ]] directive is
sufficient and explanitory so that even a new author might figure out
what has happened.

Comments and suggestions most welcome.

-Steven Leite






More information about the pmwiki-users mailing list