[Home]Bill Platt

HomePage | RecentChanges | Preferences | Newbie Help

Bill Platt is a regular on alt.html where he is less know for his smooth social manner and delicate phrasings than he is for his passionate explanations. -- Jerry Muelver
On Tue, 10 Apr 2001 00:43:07 GMT, "B.P. - iSpelunker.com" wrote on alt.html
Hopefully this will make those who cannot get the source code to the page
previosuly posted but still claim they can understand how and why they
couldn't.

The premise and underlying concept is that IE 5+ will not show source code
to a page rendered from and external javascript.

In the example the following was used

<script language="javascript"
src="http://www.ispelunker.com/news/noshow.php3"></script>

The php script this references does a little checking and then delivers the
content

Contents of noshow.php3

<?php

if ($REQUEST_METHOD == "HEAD"){
 die("This server does not give HEAD");
 }
if (!(eregi("MSIE
$HTTP_USER_AGENT))){ 
 die("document.write('Your browser is not supported');");
 }
if ($HTTP_REFERER != "http://www.ispelunker.com/news/xmlxsl.html"){
 print "No cheating;\n";
  if ($REQUEST_METHOD == "HEAD"){
  print "This server does not give HEAD\n";
  }
 }
else {
?>
strXML = "http://www.ispelunker.com/news/topnews.php3"
strXSL = "http://www.ispelunker.com/news/xsl.xsl";
var xml = new ActiveXObject("Microsoft.XMLDOM");
var xsl = new ActiveXObject("Microsoft.XMLDOM");
document.write('<iframe id="body" name="body" style="position:absolute;visibility:hidden;width:1px;height1px;"></iframe>');
xml.async = false;
xsl.async = false;
xsl.load(strXSL);
xml.load(strXML);
var theString = xml.transformNode(xsl);
document.write (theString);
file://document.write(xml.transformNode(xsl));
<?php
}
?>

it is pretty explanatory, it checks for a head dump and gives a message and 
kills the script, no content is delivered, it then checks for the substring 
"MSIE 5" if this does not exist, it gives a messsage and kills the script, 
no content is delivered.  it then checks to make sure the proper file is 
calling it, if it is not, it will give a message and kill the script.  Finally 
it checks for a head dump again if the referrer field is actually correct.

If everything is in order eg we have a MSIE 5+ browser, no head dumps and the 
proper file is calling the script, then we will deliver the actual javascript

The javascript is a few lines of code which take in an xml file and an xsl
file and uses the xmldom of MSIE 5+ to render the content.

You will note the hidden iframe written out via the javascript, this is
named "body" and defeats the document.body.outerHTML hack to view the source
demonstrated by Jim, it will give "undefined" if you try and access the
document.body.outerHTML.  The reason very simply is that if there is a
window called "body" then that is exactly what you will get when you ask for
document.body, in this case it is an empty Iframe which gives "undefined"
because there is no outerHTML.  (do you finally understand this Jim)

The xml file is accessed via

http://www.ispelunker.com/news/topnews.php3

The contents of topnews.php3 are

<?php
if ($REQUEST_METHOD == "HEAD"){
 die("This server does not give HEAD");
 }
if (!(eregi("MSIE
$HTTP_USER_AGENT))){ 
 die("Your browser is not supported");
 }
if ($HTTP_REFERER != "http://www.ispelunker.com/news/xmlxsl.html"){
 print "No cheating;\n";
  if ($REQUEST_METHOD == "HEAD"){
  print "This server does not give HEAD\n";
  }
 }
else {
 $filename = "http://p.moreover.com/cgi-local/page?c=Top%20stories&o=xml";
 $fd = fopen( $filename, "r" ); 
 $contents = fread( $fd, 20000 ); 
 fclose( $fd ); 
 print $contents;
 }
?>

The first part of the if does the same as the noshow.php

After the else, it sucks in the xml file and then prints it out, 
this is done to avoid cross site scripting errors in the browser.

The same code can be used for the xsl file to protect that as well.

and finally I just threw a few extra goodies into the main file 
because i was too lazy to script them out via php

These are in the xmlxsl.gtml file

<body onBlur="playWithClipboard('Copy')" onMouseDown="document.all.byby.style.visibility='hidden';document.all.jerry.style.visibility='visible'" onMouseUp="document.all.byby.style.visibility='visible';document.all.jerry.style.visibility='hidden'">

The onmouseups and onmousedowns are used to hide and show layers when 
people try and click in the window.

The function onBlur="playWithClipboard('Copy')"  called with the onBlur
event calls this function

<script language="javascript">
function playWithClipboard(doWhat)
{
  textRange = document.all.bpp.createTextRange();
  textRange.moveToElementText(bpp);
  textRange.execCommand(doWhat);
}
</script>

And needs this element to hold a message (you could use any DIV or layer)

<textarea id="bpp" rows="10" cols="40" style="visibility:hidden;">Hi jerry,
Stop Trying to steal my source code :) </textarea>

When the mouse leaves the focus of the window (not browser window, the
window object (do you understand the difference Jim)), it copies the message
in the hidden textarea tot he clipboard.  A side effect of this is that it
will recopy the message when the actual browser window is unfocused

Now that everyone knows how it was done, there will be people suddenly able
to come up witht he source, no shit, I told you everything you need to know
to get the source if you are creative enough, without this information, you
would be in the dark about what the hell was going on.

I suspect there will be some who have no clue who will sstill deny that it
can be done but the fact remains, the page sat for three days in it's final
form with an open challenge to view the source and no one was able to come
up with the HTML source.

Now all this was done in spare time and under no great concern, I imagine
that if care was taken, the above methods could be further improved to add
yet more layers of prevention.

B.P.
http://www.ispelunker.com/


HomePage | RecentChanges | Preferences | Newbie Help
This page is read-only | View other revisions
Last edited April 10, 2001 5:50 am (diff)
Search:

This FAQ is happily hosted by Betadome Digital Media