Hopefully this will make those who cannot get the source code to the page previosuly posted but still claim they can understand how and why they couldn't. The premise and underlying concept is that IE 5+ will not show source code to a page rendered from and external javascript. In the example the following was used <script language="javascript" src="http://www.ispelunker.com/news/noshow.php3"></script> The php script this references does a little checking and then delivers the content Contents of noshow.php3 <?php if ($REQUEST_METHOD == "HEAD"){ die("This server does not give HEAD"); } if (!(eregi("MSIE $HTTP_USER_AGENT))){ die("document.write('Your browser is not supported');"); } if ($HTTP_REFERER != "http://www.ispelunker.com/news/xmlxsl.html"){ print "No cheating;\n"; if ($REQUEST_METHOD == "HEAD"){ print "This server does not give HEAD\n"; } } else { ?> strXML = "http://www.ispelunker.com/news/topnews.php3" strXSL = "http://www.ispelunker.com/news/xsl.xsl"; var xml = new ActiveXObject("Microsoft.XMLDOM"); var xsl = new ActiveXObject("Microsoft.XMLDOM"); document.write('<iframe id="body" name="body" style="position:absolute;visibility:hidden;width:1px;height1px;"></iframe>'); xml.async = false; xsl.async = false; xsl.load(strXSL); xml.load(strXML); var theString = xml.transformNode(xsl); document.write (theString); file://document.write(xml.transformNode(xsl)); <?php } ?> it is pretty explanatory, it checks for a head dump and gives a message and kills the script, no content is delivered, it then checks for the substring "MSIE 5" if this does not exist, it gives a messsage and kills the script, no content is delivered. it then checks to make sure the proper file is calling it, if it is not, it will give a message and kill the script. Finally it checks for a head dump again if the referrer field is actually correct. If everything is in order eg we have a MSIE 5+ browser, no head dumps and the proper file is calling the script, then we will deliver the actual javascript The javascript is a few lines of code which take in an xml file and an xsl file and uses the xmldom of MSIE 5+ to render the content. You will note the hidden iframe written out via the javascript, this is named "body" and defeats the document.body.outerHTML hack to view the source demonstrated by Jim, it will give "undefined" if you try and access the document.body.outerHTML. The reason very simply is that if there is a window called "body" then that is exactly what you will get when you ask for document.body, in this case it is an empty Iframe which gives "undefined" because there is no outerHTML. (do you finally understand this Jim) The xml file is accessed via http://www.ispelunker.com/news/topnews.php3 The contents of topnews.php3 are <?php if ($REQUEST_METHOD == "HEAD"){ die("This server does not give HEAD"); } if (!(eregi("MSIE $HTTP_USER_AGENT))){ die("Your browser is not supported"); } if ($HTTP_REFERER != "http://www.ispelunker.com/news/xmlxsl.html"){ print "No cheating;\n"; if ($REQUEST_METHOD == "HEAD"){ print "This server does not give HEAD\n"; } } else { $filename = "http://p.moreover.com/cgi-local/page?c=Top%20stories&o=xml"; $fd = fopen( $filename, "r" ); $contents = fread( $fd, 20000 ); fclose( $fd ); print $contents; } ?> The first part of the if does the same as the noshow.php After the else, it sucks in the xml file and then prints it out, this is done to avoid cross site scripting errors in the browser. The same code can be used for the xsl file to protect that as well. and finally I just threw a few extra goodies into the main file because i was too lazy to script them out via php These are in the xmlxsl.gtml file <body onBlur="playWithClipboard('Copy')" onMouseDown="document.all.byby.style.visibility='hidden';document.all.jerry.style.visibility='visible'" onMouseUp="document.all.byby.style.visibility='visible';document.all.jerry.style.visibility='hidden'"> The onmouseups and onmousedowns are used to hide and show layers when people try and click in the window. The function onBlur="playWithClipboard('Copy')" called with the onBlur event calls this function <script language="javascript"> function playWithClipboard(doWhat) { textRange = document.all.bpp.createTextRange(); textRange.moveToElementText(bpp); textRange.execCommand(doWhat); } </script> And needs this element to hold a message (you could use any DIV or layer) <textarea id="bpp" rows="10" cols="40" style="visibility:hidden;">Hi jerry, Stop Trying to steal my source code :) </textarea> When the mouse leaves the focus of the window (not browser window, the window object (do you understand the difference Jim)), it copies the message in the hidden textarea tot he clipboard. A side effect of this is that it will recopy the message when the actual browser window is unfocused Now that everyone knows how it was done, there will be people suddenly able to come up witht he source, no shit, I told you everything you need to know to get the source if you are creative enough, without this information, you would be in the dark about what the hell was going on. I suspect there will be some who have no clue who will sstill deny that it can be done but the fact remains, the page sat for three days in it's final form with an open challenge to view the source and no one was able to come up with the HTML source. Now all this was done in spare time and under no great concern, I imagine that if care was taken, the above methods could be further improved to add yet more layers of prevention. B.P. http://www.ispelunker.com/